Analysis Summary

A major supply chain attack has compromised Salesloft’s Drift application, leading to the theft of OAuth and refresh tokens and impacting hundreds of organizations worldwide. The campaign, active from August 8 to at least August 18, 2025, has been attributed to a newly identified threat cluster tracked as UNC6395 (aka GRUB1), discovered by Google Threat Intelligence Group (GTIG).

Attackers exploited OAuth credentials tied to Drift to infiltrate Salesforce customer instances and exfiltrate sensitive data, including AWS access keys, Snowflake tokens, passwords, and Salesforce objects such as Cases, Accounts, Users, and Opportunities. Researchers observed large-scale, methodical queries across multiple environments, with the threat actors demonstrating operational discipline by deleting query jobs to obscure evidence.

GTIG estimates that over 700 organizations may have been impacted, with affected companies including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, SpyCloud, Tanium, and Zscaler. Salesloft confirmed the incident on August 20, 2025, noting that Drift’s integration with Salesforce was the main attack vector, though subsequent findings suggest that any Drift-connected platform could be compromised. Salesforce responded by temporarily disabling all Salesloft integrations and removing Drift from AppExchange. Both Salesloft and Salesforce have invalidated compromised tokens, notified affected customers, and urged administrators to reauthenticate connections.

In a follow-up advisory, Salesloft announced it is temporarily taking Drift offline to conduct a comprehensive review and strengthen the platform’s resiliency. The company has engaged Mandiant and Coalition to investigate and assist with containment. Drift customers relying on API key-based integrations have been advised to revoke and rotate their keys.

Security experts view the campaign as more than an isolated SaaS breach. Researcher emphasized that the attackers deliberately targeted security and technology companies, suggesting an “opening move” in a broader supply chain strategy aimed at exploiting trust relationships between vendors, service providers, and downstream customers.

Cloudflare echoed this concern, warning that the attackers likely intend to use stolen credentials and customer information for future targeted attacks. The campaign’s scale, precision, and tradecraft—including structured queries and cleanup efforts—highlight UNC6395’s capabilities and discipline. While researchers have not linked UNC6395 to existing groups such as ShinyHunters or Scattered Spider, parallels with financially motivated actors targeting Salesforce suggest an emerging and dangerous trend.

As investigations continue, the full scope of the breach remains unclear. What is evident, however, is that the Drift compromise represents a significant supply chain threat with the potential for cascading impacts across the technology ecosystem.

Impact

• Operational Disruption
• Reputational Damage
• Credentials Harvesting
• Sensitive Information Theft

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Revoke and rotate OAuth tokens to block attacker access
• Revoke and regenerate API keys for Drift integrations to secure connections
• Re-authenticate Salesforce connections to re-enable trusted integrations
• Review Salesforce logs for evidence of data exfiltration to assess exposure
• Rotate credentials such as AWS keys and Snowflake tokens to prevent misuse
• Invalidate compromised refresh tokens to cut off attacker persistence
• Engage incident response partners for containment and analysis
• Temporarily disable third-party integrations until verified secure
• Notify affected customers and partners to enable downstream protections
• Strengthen monitoring of Drift and Salesforce environments for suspicious activity