In August 2025, one of the most significant SaaS supply chain compromises to date unfolded. Known as the Salesloft Drift Campaign, this widespread incident exploited the integration between Salesloft and Salesforce, using OAuth tokens stolen from the Drift chat agent to gain unauthorized access to customer environments. The result? Data theft across dozens of organizations, including major cybersecurity vendors, SaaS providers, and global enterprises.

KELA released a new report providing a review of the Salesloft Drift supply chain compromise, a widespread data theft campaign that exploited the Salesloft-to-Salesforce attack vector. Read on for the report highlights. 

How the Attack Unfolded

The campaign, attributed by Google’s Threat Intelligence Group (GTIG) to a new actor cluster named UNC6395, began with the compromise of Salesloft’s infrastructure. The attackers stole OAuth and refresh tokens from Drift, which were designed to synchronize data between Drift and Salesforce.  GTIG also said that the scope of compromise was wider than initially thought and may impact other Salesloft Drift integrations.

Unlike traditional credential theft, OAuth token abuse bypassed primary authentication methods, including multi-factor authentication (MFA). With refresh tokens in hand, the attackers maintained persistent access, seamlessly generating new session tokens over the course of a ten-day campaign.

From there, UNC6395 pivoted directly into the Salesforce environments of affected organizations. Using Salesforce Object Query Language (SOQL), the attackers searched for high-value secrets—such as AWS access keys, Snowflake tokens, and passwords—often embedded in support cases and customer records.

Tactics, Techniques, and Procedures (TTPs)

The actor cluster UNC6395 used a disciplined playbook to exploit the Salesloft Drift integration:

• Reconnaissance: Accessed Salesloft’s GitHub repositories and probed application environments to identify valuable OAuth tokens.

• Data Mining via Salesforce Object Query Language (SOQL): Queried Salesforce environments with keywords like AKIA (AWS keys), Snowflake, password, and secret to extract high-value credentials embedded in support cases.

• Operational Security and Evasion: Routed traffic through Tor and VPS infrastructure (AWS, DigitalOcean) to obscure origins, and attempted log cleanup by deleting query jobs.

This approach highlights a growing trend: attackers are not stealing entire CRM datasets but targeting the “crown jewels” hidden in SaaS platforms, credentials that open the door to broader cloud and enterprise systems. 

Who Was Impacted

The blast radius was wide. Public disclosures confirm that organizations such as Akamai, Cloudflare, Palo Alto Networks, CyberArk, BeyondTrust, Bugcrowd, Proofpoint, Zscaler, Tanium, and Workiva were among those affected.

While the scope varied from exposed contact information and support ticket data to compromised API tokens, the incident underscores how third-party integrations can quickly become single points of failure. Cloudflare, for example, confirmed that 104 API tokens were exposed, while Akamai acknowledged that an active API key was included in its compromised support cases.

Attribution: A Complex Picture

Attribution for the campaign remains contested. While ShinyHunters and actors linked to Scattered Spider claimed responsibility on Telegram and in underground forums, Google’s formal analysis points to UNC6395, a distinct cluster not definitively tied to those extortion groups.

The opportunistic claims from ShinyHunters and Scattered Spider highlight how cybercriminal groups may leverage high-profile incidents for reputation building, even without direct involvement.

Mitigations: How to Respond and Build Resilience

The Salesloft Drift campaign illustrates a broader problem: the chain of trust in SaaS ecosystems. Organizations often assume that vendors and integrations enforce robust security controls, but as this campaign shows, a single weak link can cascade across hundreds of enterprises.

The campaign also underscores that SaaS supply chain attacks are not a matter of “if” but “when.” Organizations need a layered response strategy that addresses both immediate containment and long-term resilience. KELA recommends a three-phase approach:

Phase 1: Immediate Containment

• Assume all authentication tokens (access, refresh, API keys) are compromised.

• Audit and isolate all third-party integrations to map the potential blast radius.

• Revoke and rotate all credentials to cut off attacker persistence.

Phase 2: Proactive Investigation

• Hunt for Indicators of Compromise (IOCs) such as malicious IPs and user agents.

• Conduct deep log analysis in Salesforce and other SaaS platforms to detect suspicious queries or unusual access patterns.

• Scan data stores for embedded secrets (e.g., AWS keys, Snowflake tokens, VPN credentials) that attackers may have exfiltrated.

Phase 3: Long-Term Hardening

• Enforce least privilege for all connected apps and remove overly permissive OAuth scopes.

• Apply network and session controls such as IP restrictions, login ranges, and session timeouts.

• Refine user permission models by restricting powerful API access only to dedicated service accounts.

By taking these steps, organizations can not only contain the fallout of an incident but also reduce their exposure to the next supply chain attack waiting in the wings.

For more information on the Salesloft Drift Campaign, including IoCs, victim profiles, and more, KELA Customers can access the full report in the KELA Platform. If you’re not a KELA customer and want access, reach out here.