A new and alarming wave of cyberattacks is reshaping the digital landscape — targeting not the core systems of major tech platforms, but the third-party tools that power their ecosystems. In August 2025, reports revealed that cybercriminals exploited vulnerabilities in Drift, a conversational marketing platform owned by Salesloft, using its integration with Salesforce to gain unauthorized access to sensitive customer data.
This breach highlights a critical weakness in modern SaaS supply chains, where interconnected applications can become gateways for sophisticated attacks. The incident serves as a stark reminder that even the most secure environments are only as strong as their weakest link — and that cybersecurity must extend beyond primary systems to every connected service.
Read More: Cybersecurity Education: Why It’s Essential for Students in the Digital Age
What Happened
According to Google Cloud’s Threat Intelligence Group (GTIG), a sophisticated threat actor identified as UNC6395 exploited compromised OAuth tokens from Salesloft Drift to infiltrate Salesforce customer environments between August 8 and August 18, 2025. With these stolen tokens, the attackers systematically exfiltrated large volumes of data and searched for sensitive credentials, including AWS access keys, passwords, and Snowflake-related tokens.
While Salesforce’s core infrastructure remained uncompromised, the attackers leveraged trusted third-party integrations within its ecosystem to gain access — a hallmark of modern supply chain attacks.
Salesloft confirmed the breach through its Trust Portal, clarifying that only customers integrating Salesforce with Drift were impacted.
By late August, the ransomware group Scattered Lapsus$ Hunters had begun leaking stolen records. On October 2, 2025, Salesforce publicly confirmed its systems were secure, rejected ransom demands, and revoked affected tokens while partnering with Mandiant and others to assist in the ongoing investigation.
Who Is Behind It
Investigations have identified two primary threat actors behind the Salesforce ecosystem breach. The first, UNC6395, is believed to have stolen OAuth tokens from Salesloft Drift and used them to access and exfiltrate Salesforce customer data. The second, the ransom and data-leak group ShinyHunters / Scattered Lapsus$ Hunters, later published portions of the stolen records and issued cryptocurrency ransom demands.
While attribution remains tentative, early indicators suggest the attack was financially motivated, not an espionage operation.
- Not a platform break-in: Attackers did not exploit any known vulnerabilities in Salesforce’s core systems.
- Credential & token abuse: The primary attack vector involved theft and reuse of OAuth or API tokens, enabling access without user passwords.
- Lateral movement via trusted connectors: By leveraging trusted integrations between Drift → Salesloft → Salesforce, attackers gained broad reach across customer environments.
This incident mirrors previous supply chain attacks such as SolarWinds and MOVEit, where adversaries exploited trusted relationships rather than directly targeting hardened infrastructure.
Who Was Targeted
The breach primarily impacted organizations that had enabled the Drift–Salesloft integration within their Salesforce instances. According to preliminary estimates, over 700 organizations across multiple sectors were affected, including:
- Cybersecurity & Cloud Infrastructure
- Enterprise SaaS & Technology
- Retail & Consumer Goods
- Aviation & Finance
The attackers were financially motivated, aiming to steal credentials, harvest OAuth tokens, and exfiltrate customer data through opportunistic supply chain exploitation. By abusing trusted third-party integrations rather than attacking Salesforce directly, they successfully penetrated hundreds of environments — showcasing how supply chain relationships can be weaponized to gain access to sensitive business information.
Technical Attack Chain
The incident followed a multi-stage attack chain, leveraging token theft and privilege escalation through trusted APIs:
- Secrets Exposed: Access tokens or API keys were leaked through development tools, code repositories, or prior credential theft.
- Token Theft: Threat actors collected and validated these tokens.
- Unauthorized Access: Using the compromised tokens, attackers accessed Salesforce-connected systems.
- Data Exfiltration: Sensitive records — including contacts, leads, and support notes — were exported.
- Credential Harvesting: Attackers scanned the stolen data for additional secrets or credentials.
- Secondary Exploitation: Exfiltrated data was reused for phishing campaigns, BEC attempts, and further network intrusions.
Impact & Consequences
Immediate Technical Impacts
- Persistence Risk: Long-lived OAuth refresh tokens may allow continued unauthorized access until revoked.
- Data Theft: Unauthorized export of CRM data, including leads, contacts, and support case notes.
- Credential Exposure: API keys and internal credentials stored in text fields were potentially compromised.
Business & Operational Consequences
- Secondary Breaches: Harvested credentials could be reused to infiltrate cloud accounts, CI/CD systems, or other corporate repositories.
- Phishing & BEC Attacks: Stolen contact lists enable highly targeted spear-phishing and business email compromise attempts.
- Service Disruption: Revoking tokens or disabling integrations can disrupt sales workflows and automation pipelines.
- Reputational Damage: Both platform providers and customers may face loss of trust and negative publicity.
- Regulatory & Financial Exposure: Exposed personal or regulated data could trigger GDPR, CCPA, or other compliance investigations, leading to fines and remediation costs.
Lessons Learned
The Salesforce–Drift supply chain attack offers critical insights for organizations relying on third-party integrations. The lessons span immediate actions, short-to-medium-term measures, and long-term strategic improvements.
Immediate Steps (First 24–72 Hours)
- Revoke and rotate compromised tokens: Immediately revoke all suspected Drift–Salesloft OAuth tokens and API keys.
- Audit activity: Review Salesforce audit logs for unusual API activity, mass exports, or suspicious access during the attack window. Preserve logs for forensic investigations.
- Notify stakeholders: Inform internal teams, affected customers, and regulators as required.
- Engage experts: Involve external incident response (IR) teams if internal capabilities are limited.
Short to Medium-Term Measures
- Enforce least privilege: Limit integration scopes — grant read-only access wherever possible instead of full read/write.
- Token management: Shorten token lifetimes and enable automated rotation.
- Secrets management: Centralize secrets using vaults and scan code/CI pipelines to prevent exposure.
- Anomaly detection: Implement monitoring for unusual OAuth usage patterns across SaaS integrations.
Long-Term / Strategic Improvements
- Formalize third-party SLAs: Require partners to maintain logging, incident response, and transparency standards for security incidents.
- Integrations in threat models: Treat SaaS integrations as part of your attack surface and include them in vendor risk assessments and penetration tests.
- Adopt Zero Trust principles: Enforce context-aware access controls for APIs and integrations, including user and device posture verification.
Frequently Asked Questions
What happened in the Salesforce supply chain attack?
In August 2025, attackers exploited OAuth tokens from Salesloft Drift to access Salesforce customer data. Sensitive information such as leads, contacts, and internal notes was exfiltrated. Salesforce’s core systems were not breached.
Who is responsible for the attack?
The attack involved UNC6395, who stole the OAuth tokens, and the ShinyHunters / Scattered Lapsus$ Hunters group, which later leaked some stolen records and demanded cryptocurrency ransom.
Which organizations were affected?
Over 700 organizations across industries such as cybersecurity, enterprise SaaS, retail, aviation, and finance were impacted — primarily those integrating Salesforce with Drift via Salesloft.
How did the attackers gain access?
Attackers abused stolen OAuth tokens and leveraged trusted third-party integrations (Drift → Salesloft → Salesforce) to move laterally and access customer environments.
Was Salesforce itself compromised?
No. Salesforce’s core platform remained secure. The attackers targeted third-party applications, not the Salesforce infrastructure itself.
What data was stolen?
Data exfiltrated included CRM records such as contacts, leads, support case notes, and other sensitive internal information. Credentials and API keys exposed in free-text fields were also at risk.
Conclusion
The Salesforce–Drift supply chain attack underscores a critical truth: your security is only as strong as your weakest integration. By exploiting stolen OAuth tokens from a trusted third-party platform, attackers were able to access sensitive customer data without breaching Salesforce’s core systems. Organizations must recognize that SaaS ecosystems and API integrations are prime targets for supply chain attacks and implement robust security practices, including least privilege access, automated token rotation, anomaly detection, and Zero Trust principles.
