How the Attack Unfolded<\/h2>\n\n\n\n
The breach began when attackers gained access to Salesloft’s Drift platform, a popular AI-powered chat agent used for sales automation and customer engagement. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, with GTIG assessing that the primary intent was to harvest credentials.<\/p>\n\n\n\n
This attack was highly methodical. Not content with simple data theft, the threat actors actively mined the stolen information for high-value credentials including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens.<\/p>\n\n\n\n
The attackers demonstrated sophisticated operational security by deleting query jobs to cover their tracks, though fortunately for investigators, the underlying audit logs remained intact.<\/p>\n\n\n\n The attack affected over 700 organizations<\/a>, specifically targeting companies using the Drift-Salesforce integration. Several major companies have publicly confirmed they were impacted, including cybersecurity firms Zscaler and Palo Alto Networks.<\/p>\n\n\n\n Google’s investigation later revealed that the scope of this compromise extended beyond just the Salesforce integration to impact other integrations as well. The attack also compromised OAuth tokens for Drift’s email integration, giving attackers access to a small number of Google Workspace accounts.<\/p>\n\n\n\n The attackers targeted specific Salesforce objects that would yield the most valuable information. They executed queries to retrieve data from:<\/p>\n\n\n\n Perhaps most concerning was the attackers’ focus on support cases, which often contain technical details, error messages, and sometimes even credentials shared by customers seeking assistance.<\/p>\n\n\n\n This attack exposes the growing security risks that come with AI agent platforms requiring extensive integrations and elevated privileges to function.<\/p>\n\n\n\n Traditional software applications typically operate with limited, defined permissions. AI agents need access to email, CRM platforms, databases, and other business-critical applications to be truly useful. This creates an attractive target for attackers who can potentially gain access to an organization’s entire digital ecosystem through a single compromised agent.<\/p>\n\n\n\n AI agents inherit many of the security risks outlined in the OWASP Top 10 for LLMs<\/a>, such as prompt injection, sensitive data leakage and supply chain vulnerabilities. However, their integration with external tools exposes organizations to classic software threats like credential theft and broken access control.<\/p>\n\n\n\n The response was swift once the breach was discovered. On August 20, 2025, Salesloft and Salesforce worked together to revoke all active access and refresh tokens associated with the Drift application. Salesforce also removed Drift from its AppExchange marketplace pending further investigation.<\/p>\n\n\n\n All impacted customers were notified directly, and organizations were advised to:<\/p>\n\n\n\n This breach offers several critical lessons for organizations deploying AI agents and third-party integrations:<\/p>\n\n\n\n Audit Your AI Agent Permissions<\/strong>: Review what access your AI platforms have and whether they truly need such broad privileges<\/a>. Many organizations discover their AI tools have far more access than necessary for their actual use cases.<\/p>\n\n\n\n Implement Zero Trust for AI Integrations<\/strong>: Don’t assume AI platforms are inherently trustworthy. Apply the same security controls you would to any third-party application, including network segmentation and continuous monitoring.<\/p>\n\n\n\n Monitor OAuth Token Usage<\/strong>: The attack succeeded because stolen OAuth tokens provided legitimate-looking access to Salesforce instances. Organizations need better visibility into how their authentication tokens are being used, particularly by automated systems.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.adminbyrequest.com\/en\/wp-content\/uploads\/2025\/09\/inline-1-1-1024x576.png\")
<\/figure>\n\n\n\nScale of the Damage<\/h2>\n\n\n\n
What Data Was Stolen<\/h2>\n\n\n\n
\n
The Broader AI Agent Security Problem<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.adminbyrequest.com\/en\/wp-content\/uploads\/2025\/09\/inline-2-1-1024x576.png\")
<\/figure>\n\n\n\nResponse and Recovery Efforts<\/h2>\n\n\n\n
\n
Lessons for IT Security Teams<\/h2>\n\n\n\n