Full Report
Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. The ShinyHunters extortion group claims responsibility for these additional Salesforce attacks. [...]
Analysis Summary
# Incident Report: Salesloft OAuth Token Theft Leading to Salesforce Data Exfiltration
## Executive Summary
Sales automation platform Salesloft was breached, resulting in the theft of OAuth and refresh tokens associated with its Drift chat agent integration for Salesforce. Threat actors (tracked as UNC6395, claimed by ShinyHunters) used these tokens between August 8 and August 18, 2025, to access customer Salesforce instances, targeting sensitive credentials like AWS keys and Snowflake tokens. Salesloft contained the incident by revoking all affected tokens and notifying customers to re-authenticate their integrations.
## Incident Details
- Discovery Date: Not explicitly stated (Implied shortly before the August 26, 2025 advisory)
- Incident Date: Between August 8 and August 18, 2025
- Affected Organization: Salesloft (Impacted downstream customers utilizing the Drift-Salesforce integration)
- Sector: Software/Sales Automation Technology
- Geography: Not disclosed (Global customer base implied)
## Timeline of Events
### Initial Access
- Date/Time: Before August 8, 2025
- Vector: Breach of Salesloft's infrastructure allowing access to integration secrets.
- Details: Attackers obtained Drift OAuth and refresh tokens related to the Salesforce integration managed by Salesloft.
### Lateral Movement
- Date/Time: August 8 – August 18, 2025
- Vector: Exploitation of compromised OAuth tokens within customer Salesforce instances.
- Details: UNC6395 used the tokens to infiltrate customer Salesforce environments, issuing SOQL queries to extract data.
### Data Exfiltration/Impact
- Date/Time: Ongoing during August 8 – August 18, 2025
- Details: Attackers exfiltrated case authentication tokens, passwords, and secrets found within Salesforce support cases, specifically targeting AWS access keys (AKIA), passwords, and Snowflake-related access tokens.
### Detection & Response
- Date/Time: Discovery led to advisory on August 26, 2025
- Details: Salesloft investigated in coordination with Salesforce. The primary response was revoking all active access and refresh tokens for the Drift application and mandating customer re-authentication.
## Attack Methodology (Inferred from Google/Salesloft reporting)
- Initial Access: Compromise of Salesloft's environment leading to token theft.
- Persistence: Not detailed, but likely maintained access via stolen OAuth tokens.
- Privilege Escalation: Not explicitly detailed, but the actors leveraged the permissions inherent in the compromised integration tokens within Salesforce.
- Defense Evasion: Attackers demonstrated operational security awareness by deleting query jobs, though logs were not fully wiped. Used Tor and common hosting providers (AWS, DigitalOcean) for infrastructure.
- Credential Access: Stealing AWS access keys (AKIA), passwords, and Snowflake tokens via SOQL queries within compromised Salesforce records/cases.
- Discovery: Used SOQL queries within Salesforce to locate sensitive credentials stored in case data.
- Lateral Movement: Pivoting from Salesforce data theft to target downstream cloud services (AWS, Snowflake).
- Collection: Extracting sensitive tokens and keys from Salesforce support cases.
- Exfiltration: Data theft occurred through compromised Salesforce access.
- Impact: Data theft and potential compromise of downstream customer environments.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Sensitive credentials, including AWS access keys (AKIA), passwords, and Snowflake access tokens found within Salesforce support data. Impact was limited to customers using the Drift-Salesforce integration.
- Operational: Required customers using the integration to disconnect and reauthenticate Salesforce connections.
- Reputational: Salesloft issued a public advisory regarding the breach.
## Indicators of Compromise
- Network indicators: IP addresses associated with Tor and hosting providers like AWS and DigitalOcean (specific IPs defanged and listed in vendor reports).
- File indicators: N/A specific IOCs provided publicly.
- Behavioral indicators: Unusual SOQL query activity within Salesforce; User-Agent strings observed: `python-requests/2.32.4`, `Python/3.11 aiohttp/3.12.15`, `Salesforce-Multi-Org-Fetcher/1.0`, `Salesforce-CLI/1.0`.
## Response Actions
- Containment measures: Salesloft, in coordination with Salesforce, revoked all active access and refresh tokens associated with the affected Drift application immediately.
- Eradication steps: N/A (Focus was containment via token revocation).
- Recovery actions: Required affected administrators to manually navigate to **Settings > Integrations > Salesforce**, disconnect the integration, and reconnect with fresh credentials. Advised customers to rotate compromised credentials and search Salesforce objects for other exposed secrets.
## Lessons Learned
- Third-party integration security is a critical pivot point: Compromise of a vendor integration (Salesloft Drift) provided a direct path to sensitive data within customer environments (Salesforce).
- Token management rigor is essential: Stored OAuth/refresh tokens must be protected with the highest level of security, as their compromise bypasses direct network defenses.
- Data sanitization failure: Sensitive secrets (AWS keys, tokens) were stored in plain text or easily extractable formats within support cases in Salesforce, facilitating large-scale exfiltration.
## Recommendations
- Implement stricter scoping for integration tokens, ensuring they only possess the minimum necessary permissions required for synchronization.
- Review and automate the redaction/masking of known credential patterns (AWS AKIA prefixes, Snowflake identifiers, passwords) within CRM/support ticket systems.
- Mandate the rotation of all credentials identified as potentially exposed during the incident timeframe (AWS keys, Snowflake tokens).
- Enhance monitoring within Salesforce for anomalous SOQL query patterns, especially those targeting historical case data records.