Between August 8 and 18, threat actors successfully compromised the Salesloft Drift AI chat platform, using stolen OAuth tokens to systematically pillage data from hundreds of corporate Salesforce instances. This supply chain attack has become one of the most significant breaches of 2025.
Google Threat Intelligence Group (GTIG) tracked the campaign to a previously unknown threat actor designated UNC6395, who demonstrated remarkable operational discipline while conducting what security researchers are calling a widespread credential harvesting operation.
How the Attack Unfolded
The breach began when attackers gained access to Salesloft’s Drift platform, a popular AI-powered chat agent used for sales automation and customer engagement. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, with GTIG assessing that the primary intent was to harvest credentials.
This attack was highly methodical. Not content with simple data theft, the threat actors actively mined the stolen information for high-value credentials including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens.
The attackers demonstrated sophisticated operational security by deleting query jobs to cover their tracks, though fortunately for investigators, the underlying audit logs remained intact.
Scale of the Damage
The attack affected over 700 organizations, specifically targeting companies using the Drift-Salesforce integration. Several major companies have publicly confirmed they were impacted, including cybersecurity firms Zscaler and Palo Alto Networks.
Google’s investigation later revealed that the scope of this compromise extended beyond just the Salesforce integration to impact other integrations as well. The attack also compromised OAuth tokens for Drift’s email integration, giving attackers access to a small number of Google Workspace accounts.
What Data Was Stolen
The attackers targeted specific Salesforce objects that would yield the most valuable information. They executed queries to retrieve data from:
- User accounts and contact information
- Support cases containing potentially sensitive technical details
- Account and opportunity records
- Business contact details and licensing information
Perhaps most concerning was the attackers’ focus on support cases, which often contain technical details, error messages, and sometimes even credentials shared by customers seeking assistance.
The Broader AI Agent Security Problem
This attack exposes the growing security risks that come with AI agent platforms requiring extensive integrations and elevated privileges to function.
Traditional software applications typically operate with limited, defined permissions. AI agents need access to email, CRM platforms, databases, and other business-critical applications to be truly useful. This creates an attractive target for attackers who can potentially gain access to an organization’s entire digital ecosystem through a single compromised agent.
AI agents inherit many of the security risks outlined in the OWASP Top 10 for LLMs, such as prompt injection, sensitive data leakage and supply chain vulnerabilities. However, their integration with external tools exposes organizations to classic software threats like credential theft and broken access control.
Response and Recovery Efforts
The response was swift once the breach was discovered. On August 20, 2025, Salesloft and Salesforce worked together to revoke all active access and refresh tokens associated with the Drift application. Salesforce also removed Drift from its AppExchange marketplace pending further investigation.
All impacted customers were notified directly, and organizations were advised to:
- Search their Salesforce instances for sensitive information and credentials
- Rotate any discovered API keys and passwords
- Review authentication logs for suspicious activity
- Implement stronger IP restrictions and access controls
Lessons for IT Security Teams
This breach offers several critical lessons for organizations deploying AI agents and third-party integrations:
Audit Your AI Agent Permissions: Review what access your AI platforms have and whether they truly need such broad privileges. Many organizations discover their AI tools have far more access than necessary for their actual use cases.
Implement Zero Trust for AI Integrations: Don’t assume AI platforms are inherently trustworthy. Apply the same security controls you would to any third-party application, including network segmentation and continuous monitoring.
Monitor OAuth Token Usage: The attack succeeded because stolen OAuth tokens provided legitimate-looking access to Salesforce instances. Organizations need better visibility into how their authentication tokens are being used, particularly by automated systems.
Plan for Supply Chain Compromises: Incident response plans need to account for scenarios where threats come through trusted third-party vendors rather than direct attacks on your infrastructure.
What’s Next
AI agents often demand access to email, CRM systems, and databases, but this creates massive attack surfaces that most organizations haven’t properly considered. When Salesloft Drift got compromised, attackers inherited trusted relationships with hundreds of customer Salesforce instances.
The rush to deploy AI solutions for productivity gains has left many companies overlooking basic security fundamentals. Every OAuth token, API connection, and elevated permission becomes a potential pathway for attackers to move laterally through corporate systems.
The security community needs practical frameworks for evaluating AI agent risks before these platforms become even more entrenched in business operations. Organizations should implement granular permission models and stronger oversight to limit damage when things inevitably go wrong.
