Google Threat Intelligence (Mandiant) has linked a wave of intrusions to the theft and reuse of OAuth and refresh tokens from Drift integrations, widening the blast radius beyond CRM systems. The activity window spans 8–18 August 2025, and the impact is broader than early assessments suggested, with data access confirmed in Salesforce and a subset of Google Workspace mailboxes.
What happened: scope, targets, and timeline
SalesDrift, an integration layer connecting the Drift AI chatbot to Salesforce, was abused as an entry point. Attackers focused on OAuth authorization, obtaining Drift client tokens used to sync conversations, leads, and tickets with Salesforce, then leveraging those tokens to extract data.
According to Salesloft, the adversaries’ primary objective was secret harvesting: AWS access keys, passwords, and service tokens including those for Snowflake. In coordination with Salesforce, active Drift access and refresh tokens were revoked, and the app has been temporarily removed from Salesforce AppExchange pending a security review.
TTPs, infrastructure, and forensic traces (IoCs)
Mandiant attributes the campaign to UNC6395. Post-authentication in Salesforce, the operators issued targeted SOQL queries to mine authentication tokens, passwords, and other secrets embedded in support cases—an example of abusing a trusted SaaS context for lateral movement. The actors attempted to cover their tracks by deleting query jobs; however, logs remain recoverable for forensic analysis.
Operational infrastructure included Tor exit nodes and commodity cloud hosts (notably AWS and DigitalOcean). Suspicious User-Agent strings observed include python-requests/2.32.4, Python/3.11 aiohttp/3.12.15, and custom tool identifiers such as Salesforce-Multi-Org-Fetcher/1.0 and Salesforce-CLI/1.0.
Beyond Salesforce: Google Workspace email access via Drift OAuth
Google reports that stolen Drift Email OAuth tokens were used on 9 August to access mailboxes for a “small number” of Google Workspace accounts integrated with Drift. This confirms the campaign is not limited to the Drift–Salesforce connector and can affect other OAuth-linked services.
Google’s guidance: organizations using Drift should treat all authentication tokens stored with or connected to Drift as potentially compromised. In response, Salesforce has temporarily disabled Drift integrations with Salesforce, Slack, and Pardot while investigations continue.
Attribution and related activity
While Mandiant points to UNC6395, the group ShinyHunters publicly claimed and later denied involvement in the specific support-ticket data extraction. Concurrent Salesforce-related incidents and ShinyHunters activity have impacted major brands including Adidas, Qantas, Allianz Life, several LVMH houses (Louis Vuitton, Dior, Tiffany & Co), Cisco.com, Chanel, and Pandora. Reporting also references collaboration with Scattered Spider under the label “Sp1d3rHunters” for initial access operations.
Why it matters: systemic OAuth risk and secret sprawl
The technique aligns with MITRE ATT&CK T1550: Use of Alternate Authentication Material: by stealing valid tokens, attackers bypass password prompts and MFA checks. A compounding risk is the persistence of high-value secrets inside support tickets and CRM records, where they often evade standard secret-management controls and DLP policies, creating fertile ground for data exfiltration and pivoting.
Immediate actions for defenders: containment and hardening
1) Assume Drift token compromise. Revoke and reissue all Drift-related OAuth and refresh tokens across Salesforce, Google Workspace, Slack, Pardot, and other connected SaaS. In Salesforce, review Connected Apps, OAuth policies, and token restrictions; in Google Workspace, check App Access Control and OAuth Token Audit.
2) Rotate secrets and close lateral paths. Rotate AWS IAM access keys, Snowflake tokens, and passwords for any service linked to Drift. Re‑validate least‑privilege scopes for Drift across all tenants.
3) Hunt in logs using IoCs and anomalies. Look for unusual SOQL queries, bulk exports, and deleted query jobs; auth events sourced from Tor or cloud hosts (AWS/DO); and User-Agents python-requests/2.32.4, Python/3.11 aiohttp/3.12.15, Salesforce‑Multi‑Org‑Fetcher/1.0, Salesforce‑CLI/1.0. Prioritize the window of 8–18 August 2025, then expand.
4) Enforce secret hygiene and DLP. Prohibit placing keys and tokens in support cases or CRM fields. Deploy DLP-based discovery, masking, and automated extraction of secrets into dedicated vaults.
5) Strengthen OAuth governance. Shorten refresh-token lifetimes, prune unused grants, bind high-risk apps to trusted network zones/IP ranges, and require step-up reauthentication for sensitive actions.
This campaign underscores how OAuth token abuse and “shadow secrets” in support workflows can cascade across cloud ecosystems. Rapidly revoking tokens, rotating secrets, and eliminating secrets from ticketing and CRM systems materially reduces the chance of follow-on compromise. Organizations should pair immediate containment with durable controls around OAuth governance and data loss prevention to raise the cost of similar attacks.
