A targeted cyberattack exploited OAuth tokens to breach Salesloft and extract data from Salesforce instances, affecting multiple organizations. The campaign demonstrates high operational discipline and may be part of a larger supply chain attack strategy. #UNC6395 #Salesloft #Salesforce #OAuth #SupplyChainAttack
Keypoints
- The attack involved stealing OAuth and refresh tokens to access Salesforce data via Salesloftβs Drift application.
- Threat actors systematically targeted hundreds of Salesforce tenants, exporting sensitive information across multiple organizations.
- Salesloft and Salesforce responded by revoking compromised tokens and removing affected applications from their platforms.
- The attackers showed advanced operational security by deleting query jobs and carefully covering tracks.
- The campaign may signal a broader supply chain attack targeting security and technology firms for future exploitation.
Read More: https://thehackernews.com/2025/08/salesloft-oauth-breach-via-drift-ai.html