Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

abdulmanannet77@gmail.comAugust 27, 2025

0 2 2 minutes read

Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

https://www.profitableratecpm.com/f4ffsdxe?key=39b1ebce72f3758345b2155c98e6709c

Salesloft was violated when the Salesdrift oauth tokens were stolen
Google followed the threats under the name of UNC6395
Shinyhuanters claimed the responsibility of the attack

The workflow platform returned from Salesloft has undergone a cyber attack that saw the threat actors to break through a third party and steal sensitive information.

The company uses Drift, a marketing and conversational sales platform that uses live chat, chatbots and AI, to hire visitors in real time, alongside its own fan, a third-party platform that links the AI Drift Chat features to Salesforce, synchronizing conversations, prospects and cases, in CRM via the Saleloft ecosystem.

From August 8, and duration of ten days, the opponents managed to steal oauth tokens and update Salesdrift, pivoting customer environments and successfully exfiltrating sensitive data.

Attribution of attack

“The first results showed that the main objective of the actor was to steal identification information, specifically focusing on sensitive information such as AWS access keys, passwords and access tokens related to Snowflake,” said Salesloft in an opinion.

“We have determined that this incident had no impact on customers who do not use our Drift-Saleforce integration. Based on our current survey, we do not see evidence of malicious activity in progress linked to this incident.”

In its article, the intelligence group on the threats of Google (GTIG) said that the attack had been led by a threat actor known as UNC6395.

“Once the data has been exfiltrated, the actor looked for data to search for secrets that could be used to compromise victim environments,” said the researchers.

“GTIG observed UNC6395 targeting sensitive identification information such as Amazon Web Services (AWS) access keys, passwords and access tokens related to snowflakes. UNC6395 has demonstrated the awareness of operational security by removing request work, but the newspapers have not been impacted and organizations should still examine the relevant logs for proof of data exposure. ”

Google seems to believe that he is a single threat actor, which is why he gave him a unique UNC6395 nickname.

However, pirates known as shinyhuters have said Bleeping Compompute The attack was actually doing them – although Google asks to postpone, saying to the site: “We have not seen any convincing evidence connecting them at this time”.