A recently discovered supply chain attack campaign targeting Salesforce data via the Salesloft Drift app is more extensive than at first thought.
Google (GTIG) revealed in a post late last week that threat actors had not just targeted the Salesforce integration with Salesloft Drift, but also a “very small number” of Google Workspace accounts.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” it warned.
“We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”
Read more on Salesloft: New Data Theft Campaign Targets Salesforce via Salesloft App
The campaign came to light last week after GTIG claimed an actor tracked as UNC6395 had targeted “numerous” Salesforce customer instances between August 8 and August 18, systematically exfiltrating large volumes of data.
At the time, it said the focus for the actor was harvesting credentials such as AWS access keys (AKIA), passwords and Snowflake-related access tokens. Hundreds of organizations are thought to have been impacted.
The hackers compromised corporate Salesforce instances after stealing OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce. No vulnerabilities were identified in Salesforce or Google platforms.
New IoCs and Activity Spotted
Security vendor Astrix revealed 183 previously undisclosed IP-based indicators of compromise (IoCs) connected to the campaign, all of which are Tor exit nodes. That activity was linked to a malicious AWS account that used bucket names extracted from the compromised Salesforce environments in an attempt to access S3 buckets.
“Failed authentication attempts inadvertently exposed the threat actor’s AWS account ID,” Astrix explained.
“Our analysis indicates this malicious AWS account initiated operations in early August 2025, coinciding with the broader campaign timeline.”
The security vendor urged organizations to improve OAuth token management across all of their cloud accounts.
Image credit: gguy / Shutterstock.com
