Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

GTIG reports a widespread data theft campaign (Aug 8–18, 2025) by UNC6395 that used compromised Salesloft/Drift OAuth tokens to systematically export large volumes of data from multiple corporate Salesforce instances and search for sensitive credentials—including AWS access keys and Snowflake tokens; Salesloft and Salesforce revoked affected tokens, removed the Drift application from AppExchange, and notified impacted organizations.