Supply Chain Cyberattack Hits Salesforce Ecosystem Through Drift and Salesloft

A new wave of cyberattacks has emerged, targeting not the core infrastructure of major platforms, but the third-party applications deeply embedded in their ecosystems. In early August 2025, it became public that attackers exploited Drift, a conversational marketing platform owned by Salesloft, and leveraged its integration with Salesforce to gain unauthorized access to customer data. This incident is a textbook example of a supply chain attack, showing how adversaries can infiltrate even well-protected environments by exploiting weaker links in the SaaS ecosystem.

What Happened

According to Google Cloud’s Threat Intelligence Group (GTIG), a threat actor tracked as UNC6395 exploited compromised OAuth tokens from Salesloft Drift to access Salesforce customer instances between August 8 and August 18, 2025. Using these tokens, the actor systematically exfiltrated large volumes of data and searched for sensitive credentials such as AWS access keys, passwords, and Snowflake-related tokens. While Salesforce’s core platform was not breached, the attack exploited trust in its third-party ecosystem.

Salesloft confirmed the breach via its trust portal, noting that only customers integrating Salesforce with Drift were affected.

In August, attackers used stolen Salesloft Drift OAuth tokens to access Salesforce customer data, with ransomware group Scattered Lapsus$ Hunters later leaking records; on October 2, Salesforce confirmed its systems remained secure, refused ransom, and revoked affected tokens while investigating with partners including Mandiant.

Salesforce Refuses Ransom Demand After Drift Data Breach
Source: Bloomberg, October 8, 2025

Who Is Behind It

The attack involves two main actors: UNC6395, responsible for stealing OAuth tokens from Salesloft Drift and exfiltrating Salesforce customer data, and the ransom/data-leak group ShinyHunters / Scattered Lapsus$ Hunters, which later published some of the stolen records and demanded cryptocurrency. Public reporting remains tentative, but initial indicators show this was financially motivated.

• Not a platform break-in: Attackers did not (at least publicly) exploit a vulnerability in Salesforce itself.
• Credential & token abuse: The primary vector was theft and reuse of OAuth/refresh tokens or API keys. Such tokens can allow programmatic access to APIs without needing user passwords.
• Lateral abuse via trusted connectors: By moving through trusted integrations (Drift → Salesloft → Salesforce), attackers achieved broad reach across many customer environments.

This pattern is consistent with previous supply chain incidents (e.g., SolarWinds, MOVEit) where adversaries weaponized trust relationships rather than attempting direct, noisy attacks on hardened platforms.

Salesforce data leak and ransom site
Source: BleepingComputer, October 7, 2025

Who Was Targeted

The attack primarily affected organizations that had enabled the Drift–Salesloft integration with their Salesforce instances. Reports indicate that over 700 organizations were impacted, spanning various industries such as:

• Cybersecurity & Cloud Infrastructure
• Enterprise SaaS & Technology
• Retail & Consumer Goods
• Aviation & Finance

The attackers appear financially motivated, focusing on stealing credentials, harvesting OAuth tokens, and exfiltrating customer data through opportunistic attacks. By exploiting trusted third-party integrations rather than the core Salesforce platform, they were able to reach hundreds of organizations across multiple industries, demonstrating how attackers can weaponize supply chain relationships to access sensitive data.

Technical Attack Chain

1. Secrets exposed: Access tokens or API keys were available in code, development tools, or obtained via credential theft.
2. Token theft: Attackers collected these tokens and checked that they were valid.
3. Unauthorized access: Attackers used the stolen tokens to access Salesforce data.
4. Data exfiltration: Customer records such as contacts, leads, and support notes were copied.
5. Looking for more secrets: Attackers searched the exported data for additional credentials.
6. Using stolen data: Contact lists and internal notes were used for phishing or further attacks.

Impact & Consequences

Immediate technical impacts

• Data Theft: Unauthorized export of CRM data, including leads, contacts, support case notes, and other business records.
• Credential Exposure: Sensitive information in free-text fields (API keys, diagnostic credentials, internal links) can be exploited.
• Persistence Risk: Stolen long-lived refresh tokens may allow repeated access until revoked.

Business & operational consequences

• Phishing and social engineering: Stolen contact lists enable targeted spear-phishing and business-email-compromise (BEC) attacks against customers, partners, and employees.
• Phishing & BEC: Stolen contact lists enable targeted spear-phishing and business-email-compromise attacks.
• Service Disruption: Disabling integrations or rotating tokens may interrupt sales workflows and support automation.
• Reputational Damage: Both integrator platforms and affected customers risk loss of trust.
• Regulatory & Financial Exposure: Exposed personal or regulated data may lead to investigations, remediation costs, and fines (e.g., GDPR, CCPA).
• Secondary Breaches: Harvested secrets can enable further compromise of cloud accounts, CI/CD systems, or other data repositories.

Lessons Learned

Immediate steps (first 24–72 hours)

• Revoke/rotate all suspected Drift–Salesloft OAuth tokens and API keys.
• Audit Salesforce audit logs for unusual API activity and mass exports during the suspected window. Preserve logs for forensic analysis.
• Notify stakeholders (internal teams, affected customers, and regulators where required).
• Engage external IR experts if internal capability is limited.

Short to medium term

• Enforce least privilege on integration scopes — avoid granting full read/write where read-only suffices.
• Shorten token lifetimes and enable automated rotation.
• Implement centralized secrets management (vaults) and scanning to prevent secrets in code/CI.
• Add anomaly detection for OAuth usage patterns across SaaS integrations.

Long term / strategic

• Treat SaaS integrations as part of your attack surface — include them in threat models, vendor risk assessments, and penetration tests.
• Adopt Zero Trust principles for API and integration access, including context-aware checks and device/user posture.
• Formalize third-party SLAs for logging, incident response, and transparency in security incidents.

Conclusion

The Drift–Salesloft–Salesforce incident shows that in SaaS ecosystems, integrations are often the weakest link. Attackers can exploit connectors, tokens, and trust relationships without breaching core platforms. Organizations should prioritize integration security, enforce strict token controls, and monitor third-party access to prevent future supply chain attacks. By treating integrations as first-class attack surfaces, companies can better protect customer data and strengthen overall cybersecurity resilience.