OAuth Token Theft Hits Salesforce Users: A Wake-Up Call for ERP Integrations

What Happened: Salesloft / Drift OAuth Breach & Ripple Effects

• Salesloft (via Drift AI chat integration) was breached, enabling attackers to steal OAuth and refresh tokens tied to Salesloft’s Drift app integration with Salesforce. (TechRadar)
• The threat actor—tracked as UNC6395 by Google’s Threat Intelligence Group (GTIG)—used these tokens between August 8 and August 18, 2025 to systematically exfiltrate data from numerous Salesforce customer instances. (TechRepublic)
• The stolen data wasn’t just contacts or CRM entries—attackers were searching for credentials, such as AWS access keys (AKIA), passwords, and Snowflake access tokens, using automated queries. (Google Cloud)
• They demonstrated a level of craftiness—deleting query jobs to obscure their activity, though logs remained intact for forensic review. (Google Cloud)
• Salesloft and Salesforce responded on August 20, 2025, revoking all access and refresh tokens tied to Drift, with Salesforce also removing the app from the AppExchange. (Google Cloud)
• GTIG and Mandiant strongly advise that all organizations using Drift—regardless of integration—treat all authentication tokens as compromised. (Google Cloud)
• Additionally, a small number of Google Workspace email accounts—but only those integrated with Drift Email—were accessed on August 9, 2025, using compromised tokens. Google emphasized this was not a breach of Google or Workspace itself. (The Hacker News)
• Google has revoked the compromised tokens, disabled the integration, and notified impacted Workspace administrators. (The Hacker News)

What’s Going on with TransUnion

• TransUnion announced a data breach affecting more than 4.4 million U.S. individuals, but only exposed personal information, not credit reports. (techcrunch.com)
• The incident occurred on July 28, 2025, involving unauthorized access to a third-party customer support application. (SecurityWeek)
• The stolen data included names, Social Security numbers, dates of birth, and possibly addresses—but no credit data. (SecurityWeek)
• While the third-party wasn’t explicitly named, the incident appears related to the broader wave of Salesforce-related supply‑chain attacks, including those involving Drift integrations. (SecurityWeek)

Summary: A Rough Month for SaaS Security

1. Salesloft’s breach of Drift’s OAuth tokens triggered a serious campaign targeting Salesforce customers, resulting in widespread credential theft and potential escalation.
2. Google Workspace users weren’t entirely spared—although only a few accounts tied to Drift Email were accessed, the implications on third-party integrations are broad.
3. TransUnion’s breach underscores the expanding reach of these attacks, where customer data—even outside core systems like credit files—can be exposed via support apps tied to CRM platforms.

To Protect Your Organization:

• Immediately revoke and rotate all Drift-associated tokens and credentials.
• Rotate AWS, Snowflake, VPN, or any secrets stored in Salesforce.
• Harden connected app security: enforce IP restrictions, minimize OAuth scope, tighten permissions.
• Review logs and audit trails for suspicious queries or access.
• Confirm with Salesforce/Salesloft whether your instance was impacted, and consider opening a support incident.
• Across the board, review all supply‑chain or third‑party integrations for similar risks.