Image by ajay_suresh, from Wikimedia Commons
Google Alerts Organizations Of Salesforce Data Theft
Reading time: 2 min
Last Updated: Aug 27, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Organizations using Salesforce may have had sensitive data stolen after hackers breached Salesloft, the sales automation platform behind the Drift AI chat integration.
In a rush? Here are the quick facts:
- Hackers stole Salesforce data via Salesloft Drift OAuth and refresh tokens.
- Stolen data included AWS keys, passwords, and Snowflake access tokens.
- Salesforce and Salesloft revoked tokens and removed the Drift app temporarily.
Google’s Threat Intelligence Group (GTIG), together with Salesloft, reported that the attack occurred between August 8 and August 18, 2025. The attackers, tracked as UNC639,5, executed the breach by using stolen OAuth and refresh tokens from the Drift application. penetrating various Salesforce platforms.
“Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens,” a Salesloft advisory stated.
The attackers systematically ran queries on Salesforce objects including Cases, Accounts, Users, and Opportunities.
GTIG noted, “UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.”
BleepingComputer explains that the attackers hid their infrastructure through Tor, as well as with cloud hosting services such as AWS and DigitalOcean.
The security measures response by Salesloft and Salesforce included the cancellation of all active Drift tokens, as well as a temporary removal of the app from Salesforce AppExchange.
Customers need to re-authenticate their authentication, and change their login credentials. Google advises organizations to check Salesforce objects for AWS keys, alongside Snowflake credentials, passwords, and VPN login URLs. Administrative staff should also implement IP blocking, restrict app privileges ,and monitor authentication activity.
While some reports suggested links to the ShinyHunters extortion group, Google has not found evidence connecting them. “We’ve not seen any compelling evidence connecting them at this time,” said Austin Larsen, Principal Threat Analyst at GTIG.
BleepingComputer argues that the attack is part of a broader wave of attacks in which Salesforce is targeted through social engineering attacks that trick employees into authorizing dangerous applications.
High-profile organizations have recently reported related breaches including Google, Cisco, Adidas and Louis Vuitton.
Organizations implementing Drift-Salesforce integration should treat their data as compromised, and execute immediate remediation procedures to defend their systems from additional theft.
Latest articles 
