On September 3, 2025, Salesloft announced they are taking Drift (a Salesloft-owned chatbot platform) temporarily offline following a widespread OAuth token theft campaign that has impacted hundreds of organizations.

These OAuth tokens acted as persistent trust credentials, allowing attackers to access integrated environments without directly breaching the platforms themselves.

Notable downstream consequences include a TransUnion breach exposing 4.5M Social Security numbers, along with confirmed impacts to Cloudflare, Zscaler, Palo Alto Networks, and a limited number of Google Workspace accounts.

This advisory provides an overview of the incident, potential risks to your organization and third-party ecosystem, recommended response steps, and Whistic’s own investigation.

Description

Drift is a widely used AI-powered chatbot platform that integrates with Salesforce and other enterprise systems via OAuth tokens for seamless data synchronization.

In this campaign, threat actors tracked as UNC6395 (GRUB1) harvested OAuth and refresh tokens associated with Drift integrations. They then:

• Exfiltrated CRM data (customer records, cases, accounts, opportunities).
• Stole embedded secrets (AWS access keys, Snowflake tokens, passwords).
• Demonstrated operational security by deleting query jobs to obscure activity (though logs remained intact).

This incident underscores the systemic risk of third-party integrations: a compromise at a single vendor can cascade into critical infrastructure across industries.

Severity and Impact

• Type of Incident: Vendor breach with OAuth token compromise
• Threat Actor: UNC6395 (GRUB1)
• Attack Window: August 8–18, 2025
• Global Impact: Over 700 organizations affected (per Google Threat Intelligence Group)
• Severity Assessment: High
• Observed Impacts:
  • Unauthorized access to CRM environments through Drift integrations
  • Exfiltration of Salesforce and other enterprise data
  • Theft of OAuth/refresh tokens tied to Drift apps
  • Exposure of sensitive credentials (AWS access keys, Snowflake tokens, passwords)
  • Confirmed impacts: TransUnion, Cloudflare, Zscaler, Palo Alto Networks, Google Workspace accounts
  • Indicators of attacker tradecraft (deleted queries, but event logs intact)

Steps to Assess and Remediate

Step 1: Determine if you are at risk.

• Confirm if your organization uses Drift integrated with Salesforce, Google, Slack, AWS, or other platforms.
• Review Salesforce Event Monitoring logs for unusual Drift connection activity.
• Check IP addresses/User-Agent strings from Aug 8–18.
• Audit UniqueQuery events (SOQL queries run by attackers).
• Examine Drift Connected App authentication logs.
• Open a Salesforce support case to obtain logs of attacker queries.

Step 2: Assess your vendor network.

• Confirm whether key vendors were exposed.
• Request remediation evidence.
• For Whistic Customers: Access the Drift Security Questionnaire in the Whistic Questionnaire Standards Library.
• For Security Teams Not Using Whistic: Download the standalone Drift Security Assessment Template spreadsheet.

Step 3: Scan for exposed secrets.

• Search Salesforce and integrated systems for:
  • AWS access keys (e.g., “AKIA…”)
  • Snowflake credentials or “snowflakecomputing.com” references
  • Strings like “password,” “secret,” “key”
  • Organization-specific login URLs (VPN, SSO, etc.)
• Run tools such as TruffleHog to detect hardcoded secrets.

Step 4: Revoke, rotate, and harden.

• Immediately revoke exposed OAuth tokens and credentials.
• Rotate secrets and reset affected user passwords.
• Reduce Connected App scopes to least privilege.
• Enforce IP restrictions on Connected Apps and define strict login ranges.
• Remove unnecessary “API Enabled” permissions.
• Consider shorter session timeout values to reduce exposure windows.

Does this affect Whistic?

As part of our investigation, we have determined that Whistic was not directly impacted by this incident.

• Whistic does not use Drift integrations in our production environment.
• Our engineering team reviewed Salesforce, Google, Slack, and AWS integrations and confirmed no exposure to Drift-issued tokens.
• We continue to monitor advisories and intelligence feeds for updates.

Closing

The Drift OAuth token compromise is a critical reminder of integration risk: even a vendor perceived as non-critical can provide attackers with keys to enterprise platforms.

This incident also highlights the importance of monitoring not only direct vendors (third parties) but also their dependencies (fourth parties), since risks can cascade across the supply chain.

At Whistic, we are committed to helping our customers strengthen third-party security through transparent disclosures, standardized questionnaires, and continuous monitoring tools.

Action: Access the Drift Security Questionnaire in Whistic or Download the Drift Security Assessment Template spreadsheet.

Useful Help Articles

• Whistic Help Center: How to send bulk questionnaire requests