Salesloft Drift AI ChatBot Breach: Hackers Steal OAuth Tokens

Executive Summary

In August 2025, a significant data breach involving the Salesloft Drift AI chatbot integration was reported, impacting over 700 Salesforce customer organizations. Between August 8 and August 18, hackers exploited compromised OAuth tokens, which allowed them unauthorized access to Salesforce CRM environments. The attack was orchestrated by the threat group UNC6395, utilizing automated Python scripts to exfiltrate sensitive credentials, including AWS access keys and Snowflake tokens. Salesloft and Salesforce promptly acted by revoking access and notifying affected customers, but the scale of the breach raised concerns about the security of OAuth implementations in third-party integrations.

 Read the full breach analysis from NHI Mgmt Group here

Key Details

Breach Timeline

• August 8-18, 2025: Unauthorized access to Salesforce environments via compromised OAuth tokens.
• Immediate detection led to a rapid response by Salesloft and Salesforce.
• Access was revoked, and customers were notified about the breach.

Data Compromised

• OAuth and refresh tokens from Salesloft Drift AI integration were stolen, granting direct access to Salesforce data.
• Exfiltrated credentials included AWS access keys and Snowflake tokens, critical for cloud services.
• Automated scripts were used to extract sensitive information, raising alarms about data security practices.

Impact Assessment

• Over 700 Salesforce organizations were affected, leading to potential exposure of sensitive customer data.
• The breach may have significant financial and reputational repercussions for Salesloft and its customers.
• Security implications highlight the risks of third-party integrations and the need for enhanced OAuth security measures.

Company Response

• Salesloft and Salesforce acted swiftly to revoke access and secure their platforms.
• Affected customers were promptly informed about the breach and recommended to change their credentials.
• Future strategies include improving security protocols for OAuth implementations in integrations.

Security Implications

• The breach underscores vulnerabilities in OAuth token management and third-party integrations.
• Organizations are urged to conduct security assessments and optimize their authentication mechanisms.
• Enhanced monitoring and alerting systems can mitigate risks associated with such attacks in the future.

 If you want to learn more about how to secure NHIs including AI Agents, check our NHI Foundational Training Course.