Salesforce OAuth Token Breach: What Every Security Team Must Know

August 2025 has delivered another wake-up call for SaaS security teams.

Google’s Threat Intelligence Group (GTIG) disclosed a widespread data-theft campaign targeting Salesforce instances—not by breaching Salesforce directly, but by exploiting OAuth tokens issued to the third-party app Salesloft Drift.

The threat actor UNC6395 used these stolen tokens to quietly infiltrate environments, bypass authentication controls, and extract sensitive data.

This attack reinforces a critical truth:

Securing SaaS means protecting not just your business-critical apps, but also every non-human identity and SaaS-to-SaaS integration that has access to them.

TL;DR

In August 2025, attackers used stolen OAuth tokens from the Salesloft Drift app to access Salesforce environments without triggering MFA. This wasn’t a Salesforce vulnerability, but a trusted integration turned into an entry point. Google’s Threat Intelligence Group (GTIG) estimates over 700 organizations were affected. The attackers exfiltrated not just Salesforce data, but sensitive cloud credentials like AWS keys and Snowflake logins. Drift was removed from AppExchange and tokens were revoked, but the breach highlights a broader truth: the real SaaS attack surface includes every integration, token, and non-human identity connected to your business-critical apps.

What Happened in the Salesforce Drift Breach

Between August 8–18, 2025, UNC6395:

Exploited Salesloft Drift OAuth tokens to access Salesforce orgs
Bypassed MFA using valid tokens—no password or prompt required
Impacted over 700 orgs, according to GTIG estimates
Targeted high-value data like AWS access keys, Snowflake credentials, and other secrets
Deleted job records to cover their tracks, though Salesforce logs preserved evidence
On August 20, Drift tokens were revoked and the app was pulled from the AppExchange

Why This Attack Matters

OAuth Tokens Bypass MFA

Once granted, OAuth tokens provide persistent access. If stolen, they let attackers operate invisibly—no password, no MFA, no alerts.

Third-Party SaaS Becomes a Backdoor

Organizations may secure Salesforce itself, but integrations are often overlooked. Drift wasn’t malicious—but its trust was weaponized.

Secrets Stored in SaaS Increase Blast Radius

Attackers searched Salesforce for embedded credentials. A single compromised SaaS app can lead to cascading breaches across AWS, Snowflake, GitHub, and more.

Non-Human Identities Are Attractive Targets

Service accounts, tokens, and API keys often lack monitoring or governance—making them low-effort, high-reward for attackers.

How to Detect If You Were Impacted

Review Salesforce event logs for:

Unusual SOQL queries from Aug 8–18
Deleted jobs or queries, especially tied to Drift
Access from Tor nodes or unfamiliar IP addresses
Drift-related activity prior to token revocation

Even if job records were deleted, event logs may still reveal attacker behavior.

Recommended Security Actions

Step	Action
1. Revoke and Rotate	Remove unused OAuth tokens, rotate credentials, and reset Salesforce passwords
2. Audit Connected Apps	Delete stale apps, enforce least-privilege scopes, and apply IP restrictions
3. Harden Salesforce	Monitor logs, shorten token lifetimes, and alert on token use from new IPs
4. Control App Approvals	Limit who can approve integrations and require security reviews for new apps
5. Scan for Secrets	Search Salesforce for embedded credentials and move them into a secrets manager

Lessons for SaaS Security Leaders

This campaign exposed critical blind spots in SaaS security programs:

OAuth tokens can be stolen and silently abused, bypassing MFA and other controls
Trusted integrations can be weaponized, turning legitimate access into high-risk exposure
Non-human identities now outnumber users and often operate without basic governance

Focusing solely on securing the platform while ignoring its ecosystem is no longer viable.

Valence’s Perspective

This breach highlights what we see in many environments we assess:

Integrations with excessive access, shadow IT apps granted OAuth permissions without review, and non-human identities operating with little to no oversight.

Valence helps security teams take back control. Our platform gives enterprises the ability to discover every connected app and integration, assess permissions and prioritize risks, and govern OAuth tokens, API keys, and app approvals with precision.

This isn’t news for us. We’ve been saying it for years: SaaS security is about securing your entire SaaS ecosystem.

Summary: Everything You Need to Know About the Salesforce Drift OAuth Breach

This was not a Salesforce breach. Attackers exploited compromised OAuth tokens from the Salesloft Drift app to access Salesforce environments without triggering MFA.
More than 700 organizations may be impacted. Google’s Threat Intelligence Group (GTIG) estimates widespread exposure across Salesforce customers.
Attackers stole more than just Salesforce data. Exfiltrated data included cloud credentials like AWS keys, Snowflake logins, and other embedded secrets.
Salesloft Drift was removed from AppExchange. Tokens were invalidated on August 20, but any previously granted access should be treated as compromised.
The real threat is the SaaS ecosystem. OAuth tokens, connected apps, and non-human identities now represent the most critical risks in SaaS environments.