Unauthorized Data Exfiltration from Salesforce Due to Intrusions in Salesloft Drift OAuth Access
In a recent security incident, a threat actor known as UNC6395, also referred to as GRUB1, exploited OAuth tokens from the Salesloft Drift integration with Salesforce, leading to the breach of multiple companies' Salesforce data.
On August 20, 2025, Salesloft published an advisory about this security issue. Salesloft and Salesforce have since proactively revoked all active access and refresh tokens for the Drift application to mitigate the threat. This means that administrators must re-authenticate their Salesforce connection to re-enable the Salesloft Drift integration.
The malicious activity, observed between August 8 and at least August 18, 2025, resulted in the exfiltration of large volumes of data from multiple corporate Salesforce instances. The threat actor's primary objective was credential theft, with a focus on sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens.
Customers of the Salesforce integration for Salesloft Drift were contacted by Salesforce, recommending that they create a support case for further assistance in investigating the malicious activity. Salesforce has also contacted impacted customers regarding the Salesloft Drift integration.
Google Threat Intelligence Group (GTIG) provided additional details about the campaign on August 26, 2025. They suggest monitoring the Salesloft Trust Page for further updates and opening a support case with Salesforce for investigating activity related to this campaign. Arctic Wolf also advises keeping an eye on the Salesloft Trust Page for updates.
It is important to note that this incident was limited to customers using the Salesloft Drift Salesforce integration. To prevent any further malicious access, it is recommended to rotate sensitive information within Salesforce objects, such as API keys or other credentials.
Salesforce and Salesloft have taken steps to address this issue, but it is crucial for administrators to re-authenticate their Salesforce connection to ensure the security of their data. If you are a customer of the Salesloft Drift Salesforce integration, opening a support case with Salesforce is advised for a thorough investigation of the activity related to this campaign.
Read also:
- Understanding Hemorrhagic Gastroenteritis: Key Facts
- Trump's Policies: Tariffs, AI, Surveillance, and Possible Martial Law
- Expanded Community Health Involvement by CK Birla Hospitals, Jaipur, Maintained Through Consistent Outreach Programs Across Rajasthan
- Abdominal Fat Accumulation: Causes and Strategies for Reduction
