Salesloft Drift / UNC6395 - GitHub Compromise → Stolen Drift OAuth Tokens → Bulk SOQL Exfil → Secret-Mining → 700+ Orgs Hit
A threat actor tracked as UNC6395 (also referenced as GRUB1) stole OAuth refresh and access tokens tied to the Salesloft Drift third-party chat integration and used them to reach hundreds of organizations' Salesforce instances. Over roughly ten days in August 2025 the actor ran automated OAuth-authenticated SOQL queries to bulk-export Salesforce objects, then combed the exported data for embedded secrets - AWS access keys (AKIA...), Snowflake tokens, VPN credentials, and passwords - to enable downstream compromise. The root cause was traced back to a compromise of Salesloft's GitHub environment (March-June 2025) that let the actor pivot into the Drift AWS environment and harvest the integration's customer OAuth tokens. 700+ organizations were potentially affected, including major security vendors, making this one of the largest SaaS supply-chain incidents of 2025.
The upstream root cause was a compromise of Salesloft's GitHub account. From March through June 2025 the actor downloaded content from multiple private repositories, added a guest user, and established suspicious CI/CD workflows. From there the actor pivoted into the Drift AWS environment, where the OAuth access and refresh tokens issued to Drift's customer integrations were stored. Harvesting those tokens gave the actor pre-authenticated access to every downstream Salesforce tenant that had connected Drift - no victim-side credential theft required.
Pivot: Salesloft GitHub → Drift AWS environment holding customer OAuth tokens
Dwell time: Undetected GitHub access March-June 2025 before the Salesforce campaign
The stolen Drift OAuth refresh and access tokens were valid, pre-authorized application credentials, so the actor connected directly to each customer's Salesforce instance through the trusted integration - bypassing user login, MFA, and password controls entirely. Because the access rode an approved third-party tenant integration, activity blended in with normal Drift API traffic. Separately, on August 9 the actor abused OAuth tokens for the Drift Email integration to read email from a very small number of Google Workspace accounts that had specifically connected Drift.
Auth path: Trusted third-party app connection - no user login, MFA, or password prompt
Also abused: Drift Email OAuth tokens → small number of Google Workspace mailboxes (Aug 9)
Operating through Salesforce's APIs with Python-based tooling, UNC6395 enumerated the standard objects reachable by the compromised Drift integration to find where sensitive text lived. The actor focused on records that commonly hold free-text and credential-bearing content - Cases (support ticket bodies), Accounts, Contacts, Users, and Opportunities. Support case text was a prime target because customers routinely paste keys, tokens, and passwords into tickets. The actor used custom user-agent strings to appear like a legitimate integration and reduce the chance of anomaly detection.
Why Cases: Support case bodies frequently contain pasted secrets and credentials
Evasion: Custom user-agent strings to mimic legitimate Drift API traffic
The actor executed automated Salesforce Object Query Language (SOQL) queries and used the Bulk API to export large volumes of records from the targeted objects across hundreds of tenants. The queries and jobs ran through the same OAuth-authenticated integration channel, so exfiltration looked like ordinary bulk integration activity. Over the roughly ten-day window (August 8-18, 2025) the actor systematically drained support-case text, contact, and account data from 700+ organizations. Salesforce event logs retained the queries for post-incident forensics, but no real-time DLP alert fired during the bulk pulls.
Channel: OAuth-authenticated Drift integration - blends with normal bulk API traffic
Scope: 700+ tenants drained over ~10 days (Aug 8-18, 2025)
Detection gap: No DLP or rate-limit alert on large SOQL / Bulk API exports
The campaign's real objective was credential harvesting, not the Salesforce data itself. UNC6395 scanned the stolen exports - likely with scripts and regex - for patterns that reveal secrets: AWS access key IDs (AKIA...), Snowflake tokens, VPN credentials, and password strings pasted into support cases. Any live secret found became a foothold into a victim's cloud estate, turning one SaaS integration breach into potential AWS and data-warehouse compromise. On August 20, 2025 Salesloft and Salesforce revoked all active Drift OAuth tokens and Salesforce removed the Drift app from AppExchange pending investigation.
Goal: Downstream compromise - pivot from SaaS data into AWS / Snowflake environments
Containment: Aug 20, 2025 - Salesloft & Salesforce revoked Drift tokens; Drift pulled from AppExchange
