Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
Drift has disclosed details of a security incident involving its Salesforce integration. Between August 8 and August 18, 2025, an unknown actor exploited OAuth credentials to extract data from customer Salesforce instances. According to the company, the attacker’s primary objective was the theft of sensitive secrets—ranging from AWS keys and passwords to access tokens associated with Snowflake. Only organizations with the Drift-Salesforce integration enabled were affected; for all others, no risk has been identified.
In coordination with Salesforce, all active access and refresh tokens for the Drift application were swiftly revoked, requiring administrators to reauthenticate in order to restore integration functionality. An external DFIR team has been engaged, and at present no signs of ongoing malicious activity have been observed. Drift has pledged to provide customers with individualized breakdowns of the attacker’s actions within their environments.
Analysis of the intrusion revealed a focused interest in fields that could potentially contain secrets. Within Salesforce, the adversary queried objects such as Cases, Accounts, Users, and Opportunities, employing both bulk extractions to create “snapshots” of tickets and targeted probes for secret-related patterns. Two illustrative SOQL queries included:
- To enumerate fields across cases:
SELECT Id, Description, Subject, Comments FROM Case WHERE CreatedDate >= :x ORDER BY CreatedDate DESC NULLS FIRST LIMIT 2000 - To probe specific fields for matches against known patterns:
SELECT Id FROM Case WHERE SuppliedEmail LIKE :x LIMIT 1000
Here, the parameter :x varied depending on the attacker’s objective.
To aid customers in conducting their own investigations, Drift has published indicators of compromise. Notably, three anomalous User-Agent strings in HTTP traffic warrant scrutiny:
python-requests/2.32.4Salesforce-Multi-Org-Fetcher/1.0Python/3.11 aiohttp/3.12.15
Drift emphasized that the list of IOCs will continue to be updated and that affected clients will receive detailed timelines of the attacker’s activity within their Salesforce instances.
