A coordinated cyberattack exploited OAuth tokens linked to Salesforce, exposing hundreds of companies to data compromise.
New information has revealed the full scope and technical pathway behind the massive series of Salesforce-related data breaches in 2025. The attackers exploited compromised OAuth tokens, originally obtained through unauthorized access to the GitHub environment of Salesloft, a third-party AI marketing integration used by Drift, which itself is used by Salesforce customers.
The threat campaign affected hundreds of organizations, including major tech and cybersecurity companies such as Cloudflare, Zscaler, Palo Alto Networks, and even global brands like Allianz, TransUnion, and Air France.
Salesloft’s internal investigation found that between March and June 2025, attackers infiltrated its GitHub repositories, added a guest user, and deployed workflows to exfiltrate sensitive information. The campaign expanded when attackers pivoted to Drift’s AWS environment and harvested OAuth tokens used by Drift’s customers to connect with platforms like Salesforce.
These stolen tokens enabled unauthorized access to integrated systems, including the Salesforce instances of numerous global organizations. Although Salesloft claims its core application was not compromised, it has since rotated all credentials and hardened its infrastructure.
Salesforce temporarily severed its integration with Salesloft during the investigation, but that connection has since been restored. Meanwhile, Drift has been taken offline and fully isolated.
Affected customers were instructed to treat any credentials stored in their Salesforce objects, including GCP service account keys, AWS credentials, and Snowflake tokens, as compromised.
Salesloft stated the attack has been contained and is now under forensic quality assurance review with the help of Mandiant. The company released known attacker IP addresses and user-agent strings to aid threat detection efforts.
Drift users were repeatedly advised to conduct thorough audits of connected Salesforce environments and revoke or rotate any sensitive credentials.
Three cybercriminal groups, believed to be operating as a loose coalition, have claimed responsibility for the breaches and are reportedly selling the stolen data while taunting authorities.
OAuth tokens allow one service to access another on a user's behalf without sharing passwords. If stolen, they can grant attackers direct access to integrated systems often silently.
GitHub repositories can contain sensitive configuration files, API keys, and scripts. Accessing them gives attackers insight into a company's development environment and integration credentials.
Best practices include regularly rotating tokens, using least-privilege access, employing secret scanning tools, and conducting routine credential audits across integrations.
No. The breaches occurred through integrations with Salesforce, particularly via compromised third-party tools like Drift that had access to Salesforce environments.
Mandiant conducted a forensic analysis and is now overseeing quality assurance to ensure no indicators of compromise remain in the affected environments.