Last week it emerged that hackers had compromised the Salesloft sales automation platform and stole customers’ OAuth and refresh tokens from its Drift AI agent, which is designed to integrate with Salesforce. As Google has now warned, the attack was large-scale and affected Google Workspace data.
SalesDrift is a third-party platform for integrating the Drift AI chatbot with a Salesforce instance, allowing organizations to synchronize conversations, leads, and support tickets with their CRM. To streamline the process, Drift can also integrate with various services, including Salesforce (unrelated to Salesloft) and other platforms (Slack, Google Workspace, and others).
As reported by Salesloft representatives, the attack took place from August 8 to 18, 2025. As a result of the breach, the attackers obtained customers’ Drift OAuth and refresh tokens used for integration with Salesforce, and then used them to steal data from Salesforce.
“The initial investigation showed that the attacker’s primary goal was credential theft; specifically, they focused on sensitive information such as AWS access keys, passwords, and access tokens associated with Snowflake,” the original official Salesloft statement read. “We have determined that this incident did not affect customers who do not use our Drift-Salesforce integration. Based on the results of our ongoing investigation, we have found no evidence of ongoing malicious activity related to this incident.”
Together with colleagues from Salesforce, Salesloft developers revoked all active access and refresh tokens for Drift. In addition, Salesforce removed the Drift app from AppExchange until the investigation is completed and it receives assurances from Salesloft that the platform is secure.
As specialists from Google Threat Intelligence (Mandiant) reported last week, the attack was carried out by the hacking group UNC6395. According to the researchers, after gaining access to a Salesforce instance, the hackers executed SOQL queries to extract authentication tokens, passwords, and secrets from support tickets, which ultimately allowed the attackers to continue the intrusion and compromise other platforms.
“GTIG found that UNC6395 targets sensitive credentials, including access keys (AKIA) for Amazon Web Services (AWS), passwords, and Snowflake-related access tokens,” Google wrote. “UNC6395 demonstrates good operational security by deleting query jobs; however, the logs remained intact, and organizations should review the relevant logs for indicators of data exfiltration.”
Along with their report, the experts provided indicators of compromise and noted that, to conceal their infrastructure, the attackers used Tor as well as hosting providers like AWS and DigitalOcean. User-Agent strings associated with the data theft included python-requests/2.32.4, Python/3.11 aiohttp/3.12.15, and for custom tools — Salesforce-Multi-Org-Fetcher/1.0 and Salesforce-CLI/1.0.
Google recommended that companies using Drift integrated with Salesforce consider their Salesforce data compromised. Affected organizations were strongly urged to immediately take steps to remediate the incident’s impact.
Worse yet, a few days later it emerged that the data breach was far more extensive than initially assumed.
Google experts warned that attackers used stolen OAuth tokens to access Google Workspace email accounts and also exfiltrated data from Salesforce instances.
The issue was that OAuth tokens for the Drift Email integration had been compromised, and on August 9 attackers used them to access the email of “a small number” of Google Workspace accounts directly integrated with Drift.
“According to new information, this issue was not limited to the Salesforce integration with Salesloft Drift and affected other integrations,” the researchers explained. “We now recommend that all Salesloft Drift customers consider any authentication tokens stored on the Drift platform or connected to it as potentially compromised.”
Salesloft representatives also updated their security bulletin and stated that Salesforce has disabled the Drift integration with Salesforce, Slack, and Pardot until the investigation is complete.
Although Google’s specialists attribute these attacks to a hacking group tracked as UNC6395, ShinyHunters representatives told Bleeping Computer that they were behind the attack. However, the hackers later said that the incident described by Google was not linked to them, as they did not exfiltrate data from support tickets.
In recent months, virtually identical data leaks linked to Salesforce and ShinyHunters activity have affected: Adidas, the airline Qantas, the insurance company Allianz Life, a number of LVMH brands (Louis Vuitton, Dior and Tiffany & Co), the Cisco.com website, as well as the fashion house Chanel and the Danish jewelry company Pandora.
ShinyHunters also say they are working together with the Scattered Spider group, which is responsible for obtaining initial access to target systems. The attackers now call themselves Sp1d3rHunters, combining the names of both groups.