Close Menu
Uncategorized

Salesloft OAuth Breach: Drift AI Chat Agent Exposes Salesforce Data

Staff WriterBy No Comments2 Mins Read6 Views

Quick Takeaways

  1. Data Breach: Hackers, identified as UNC6395, exploited compromised OAuth tokens from Salesloft’s Drift AI, affecting over 700 organizations and allowing data extraction from Salesforce instances.

  2. Operational Discipline: The attackers showcased advanced tactics by methodically querying for sensitive data, such as AWS keys and passwords, while covering their tracks by deleting query jobs.

  3. Broader Attack Strategy: Targeting security and technology firms suggests a potential supply chain attack, enabling them to pivot to downstream customers and exploit trust relationships.

  4. Response Measures: Salesloft revoked problematic OAuth connections and worked with Mandiant for incident investigation, urging affected Drift customers to update API keys for enhanced security.

Data Breach Unveiled

A recent cybersecurity breach has exposed vulnerabilities within Salesloft, a popular sales automation platform. Hackers targeted the application through the Drift AI chat agent, stealing OAuth and refresh tokens. This breach, attributed to a threat group known as UNC6395, affected over 700 organizations, raising alarm bells across the tech industry. The attackers exploited these tokens between August 8 and August 18, 2025, accessing Salesforce customer data linked to the compromised application.

During the attacks, the intruders exported substantial volumes of sensitive information from numerous Salesforce instances. They sought to harvest data such as Amazon Web Services (AWS) access keys, passwords, and Snowflake-related tokens. Salesloft confirmed their investigation and revoked access ties between Drift and Salesforce, minimizing the risk for customers not integrating with Salesforce. The exact scope of the breach remains unclear, but the company has alerted all affected users, emphasizing the need for administrators to re-establish secure connections.

Implications and Responses

Industry experts highlight the significance of UNC6395’s methods. They executed structured queries to gather credentials, showing a notable level of operational discipline. The campaign might point to a broader strategy targeting the technology supply chain. By infiltrating vendors and service providers first, these attackers could potentially compromise downstream customers.

In response to the incident, Salesloft engaged cybersecurity firms Mandiant and Coalition for further investigation and mitigation. They advise all customers using API keys to revoke and update their keys, closely monitoring any suspicious activity. This incident serves as a reminder of the evolving threat landscape, urging organizations to bolster their security protocols and remain vigilant against such sophisticated attacks.

Expand Your Tech Knowledge

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Stay inspired by the vast knowledge available on Wikipedia.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.