Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

• Salesloft was breached when OAuth tokens from SalesDrift were stolen
• Google tracked the threat actors as UNC6395
• ShinyHunters claimed responsibility for the attack

Revenue workflow platform Salesloft suffered a cyberattack which saw threat actors break in through a third-party and steal sensitive information.

The company is using Drift, a conversational marketing and sales platform that uses live chat, chatbots, and AI, to engage visitors in real time, alongside its own SalesDrift, a third-party platform which links Drift’s AI chat functionality to Salesforce, syncing conversations, leads, and cases, into the CRM via the Salesloft ecosystem.

Starting around August 8, and lasting for about ten days, adversaries managed to steal OAuth and refresh tokens from SalesDrift, pivoting to customer environments, and successfully exfiltrating sensitive data.