Hackers breached Salesloft to steal OAuth tokens from its Drift integration with Salesforce, enabling them to exfiltrate sensitive data including AWS access keys and passwords. The attacks, attributed to the threat group UNC6395, occurred between August 8 and August 18, 2025, leading to a coordinated response that involved revoking access tokens and requiring customer re-authentication. Ongoing investigations reveal connections to broader social engineering tactics targeting Salesforce instances, linked to the ShinyHunters group.

The FBI has issued a warning about two cybercriminal groups, UNC6040 and UNC6395, that are exploiting Salesforce environments to steal data and extort organizations. These groups have employed various tactics, including social engineering and the use of compromised OAuth tokens, impacting many well-known companies and revealing sensitive information in their attacks. The FBI has released indicators of compromise to help organizations bolster their defenses against these threats.

A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift application has been uncovered, with the threat actor UNC6395 compromising OAuth tokens to exfiltrate sensitive data. Organizations using Salesloft Drift are urged to treat their credentials as compromised and take immediate remediation steps, including revoking tokens and investigating potential unauthorized access.