Last week it emerged that hackers had compromised the Salesloft sales automation platform and stole customers’ OAuth and refresh tokens from its Drift AI agent, which is designed to integrate with Salesforce. As Google has now warned, the attack was large-scale and affected Google Workspace data.
SalesDrift is a third-party platform for integrating the Drift AI chatbot with a Salesforce instance, allowing organizations to synchronize conversations, leads, and support tickets with their CRM. To streamline the process, Drift can also integrate with various services, including Salesforce (unrelated to Salesloft) and other platforms (Slack, Google Workspace, and others).
As reported by Salesloft representatives, the attack took place from August 8 to 18, 2025. As a result of the breach, the attackers obtained customers’ Drift OAuth and refresh tokens used for integration with Salesforce, and then used them to steal data from Salesforce.
“The initial investigation showed that the attacker’s primary goal was credential theft; specifically, they focused on sensitive information such as AWS access keys, passwords, and access tokens associated with Snowflake,” the original official Salesloft statement read. “We have determined that this incident did not affect customers who do not use our Drift-Salesforce integration. Based on the results of our ongoing investigation, we have found no evidence of ongoing malicious activity related to this incident.”
Together with colleagues from Salesforce, Salesloft developers revoked all active access and refresh tokens for Drift. In addition, Salesforce removed the Drift app from AppExchange until the investigation is completed and it receives assurances from Salesloft that the platform is secure.
As specialists from Google Threat Intelligence (Mandiant) reported last week, the attack was carried out by the hacking group UNC6395. According to the researchers, after gaining access to a Salesforce instance, the hackers executed SOQL queries to extract authentication tokens, passwords, and secrets from support tickets, which ultimately allowed the attackers to continue the intrusion and compromise other platforms.
“GTIG found that UNC6395 targets sensitive credentials, including access keys (AKIA) for Amazon Web Services (AWS), passwords, and Snowflake-related access tokens,” Google wrote. “UNC6395 demonstrates good operational security by deleting query jobs; however, the logs remained intact, and organizations should review the relevant logs for indicators of data exfiltration.”
Along with their report, the experts provided indicators of compromise and noted that, to conceal their infrastructure, the attackers used Tor as well as hosting providers like AWS and DigitalOcean. User-Agent strings associated with the data theft included python-requests/2.32.4, Python/3.11 aiohttp/3.12.15, and for custom tools — Salesforce-Multi-Org-Fetcher/1.0 and Salesforce-CLI/1.0.
Google recommended that companies using Drift integrated with Salesforce consider their Salesforce data compromised. Affected organizations were strongly urged to immediately take steps to remediate the incident’s impact.
Worse yet, a few days later it emerged that the data breach was far more extensive than initially assumed.
Google experts warned that attackers used stolen OAuth tokens to access Google Workspace email accounts and also exfiltrated data from Salesforce instances.
The issue was that OAuth tokens for the Drift Email integration had been compromised, and on August 9 attackers used them to access the email of “a small number” of Google Workspace accounts directly integrated with Drift.
“According to new information, this issue was not limited to the Salesforce integration with Salesloft Drift and affected other integrations,” the researchers explained. “We now recommend that all Salesloft Drift customers consider any authentication tokens stored on the Drift platform or connected to it as potentially compromised.”
Salesloft representatives also updated their security bulletin and stated that Salesforce has disabled the Drift integration with Salesforce, Slack, and Pardot until the investigation is complete.
Although Google’s specialists attribute these attacks to a hacking group tracked as UNC6395, ShinyHunters representatives told Bleeping Computer that they were behind the attack. However, the hackers later said that the incident described by Google was not linked to them, as they did not exfiltrate data from support tickets.
In recent months, virtually identical data leaks linked to Salesforce and ShinyHunters activity have affected: Adidas, the airline Qantas, the insurance company Allianz Life, a number of LVMH brands (Louis Vuitton, Dior and Tiffany & Co), the Cisco.com website, as well as the fashion house Chanel and the Danish jewelry company Pandora.
ShinyHunters also say they are working together with the Scattered Spider group, which is responsible for obtaining initial access to target systems. The attackers now call themselves Sp1d3rHunters, combining the names of both groups.
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →