Salesloft Drift Supply Chain Attack: Comprehensive Analysis and Mitigation Strategies

The Salesloft Drift supply chain attack, attributed to the threat group UNC6395, occurred between August 8 and August 18, 2025. The attackers exploited compromised OAuth and refresh tokens associated with the third-party application Salesloft Drift to exfiltrate sensitive data from Salesforce customer instances. The stolen data includes AWS access keys, passwords, and Snowflake tokens. Salesloft responded by suspending the Drift application, revoking all active access tokens, and removing the application from the Salesforce AppExchange. This incident potentially affects over 700 organizations. The attack underscores the risks associated with third-party applications and the critical need for robust authentication mechanisms, regular credential rotation, and continuous monitoring. Organizations are advised to review all integrations, rotate credentials, and monitor for unauthorized access. This incident highlights the importance of third-party risk management, credential hygiene, incident response planning, and continuous monitoring in mitigating the impact of such breaches.