Redazione RHC : 2 September 2025 07:56
Last week, it emerged that criminal hackers had compromised the sales automation platform Salesloft and stolen OAuth and update tokens from customers in its AI agent Drift, designed to integrate with Salesforce. As Google has now warned, the attack was widespread and affected Google Workspace data.
SalesDrift is a third-party platform for integrating the Drift AI chatbot with a Salesforce instance, allowing organizations to sync conversations, leads, and support tickets with their CRM. Drift can also integrate with a variety of services to streamline the process, including Salesforce (unrelated to Salesloft) and other platforms (Slack, Google Workspace, and others).
According to Salesloft, the attack occurred between August 8 and 18, 2025. Following the attack, the attackers obtained the Drift client OAuth and refresh tokens used for the Salesforce integration, which they then used to steal data from Salesforce. “Initial investigations revealed that the attacker’s primary goal was credential theft, specifically targeting sensitive information such as AWS access keys, passwords, and associated access tokens. to Snowflake,” Salesloft’s initial statement read. “We have determined that this incident did not impact customers who are not using our Drift-Salesforce integration. Based on our ongoing investigation, there is no evidence of ongoing malicious activity related to this incident.”
Together with colleagues at Salesforce, Salesloft developers have revoked all active logins and refresh tokens for Drift. Additionally, Salesforce has removed the Drift app from the AppExchange pending an investigation and assurances from Salesloft regarding the platform’s security.
The attack was conducted by the hacker group UNC6395, as reported last week by Google Threat Intelligence (Mandiant). According to the researchers, after gaining access to a Salesforce instance, the attackers ran SOQL queries to extract authentication tokens, passwords, and secrets from support tickets, which allowed them to continue the attack and compromise other platforms.
“GTIG discovered that UNC6395 targets sensitive credentials, including Amazon Web Services (AWS) access keys (AKIA), passwords, and access tokens associated with Snowflake,” Google wrote. “UNC6395 demonstrates good operational security awareness by eliminating query processes, but logs were not affected, and organizations should review relevant logs for indicators of a data breach.”
The experts attached indicators of compromise to their report and noted that attackers used Tor and hosting providers such as AWS and DigitalOcean to hide their infrastructure. User-Agent strings associated with the data theft included python-requests/2.32.4, Python/3.11, aiohttp/3.12.15, and, for custom tools, Salesforce-Multi-Org-Fetcher/1.0 and Salesforce-CLI/1.0.
Google advised companies using Drift integrated with Salesforce to consider tradeoffs for accessing their Salesforce data. Affected companies were urged to take immediate action to mitigate the incident. What’s worse is that a few days later it turned out that the data leak was much larger than initially thought. Google experts have raised the alarm: Attackers used stolen OAuth tokens to access Google Workspace email accounts and stole data from Salesforce instances.
The problem is that OAuth tokens for the Drift Email integration were compromised and used by an attacker on August 9 to access the email of a “limited number” of Google Workspace accounts integrated directly with Drift.“Based on new information, this issue was not limited to the Salesforce integration with Salesforce Drift, but also impacted other integrations,” the researchers explained. “We now advise all Salesloft Drift customers to consider all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Salesloft also updated its security bulletin and stated that Salesforce has disabled Drift’s integration with Salesforce, Slack, and Pardot pending an investigation. While Google attributes the attacks to a hacker group with the identifier UNC6395, ShinyHunters has claimed Bleeping Computer was behind the attack. However, the hackers later claimed that the incident described by Google was unrelated to them, as they had not extracted data from support requests.
In recent months, similar data breaches involving Salesforce and ShinyHunters have affected Adidas, the airline Qantas, the insurance company Allianz Life, several LVMH brands (Louis Vuitton, Dior, and Tiffany & Co), the website Cisco.com, as well as the fashion house Chanel and the Danish jewelry company Pandora.
ShinyHunters also claims to be collaborating with the Scattered Spider group, which was responsible for the initial access to the target systems. The attackers now call themselves Sp1d3rHunters, a combination of the names of both groups.
Redazione