“How do you secure a door you never knew was open?” Enterprises face that unsettling question after a broad data-theft campaign exploited OAuth tokens tied to the Drift AI chat agent to siphon information from Salesloft — potentially creating a corridor into downstream Salesforce records. The incident illustrates how a single weak link in a web of integrations can expose large volumes of sensitive CRM data and why OAuth tokens, when mishandled, become high-value targets for opportunistic attackers.
Who did this and how it worked
Security researchers at Google Threat Intelligence Group and incident responders at Mandiant attribute the campaign to a group tracked as UNC6395. Rather than a bespoke, surgical intrusion, the operation appears opportunistic: broad scanning and harvesting of OAuth tokens stored or accessible via Salesloft accounts integrated with Drift. Those tokens — and in some cases long-lived refresh tokens — allowed the adversary to act on behalf of users until tokens were revoked or sessions expired.
At its core, this was a chain-of-trust failure. OAuth tokens are intended to let services act for users without sharing passwords, but when tokens or refresh tokens are exposed through upstream compromise, misconfiguration, or vulnerable integrations, they function as master keys. Salesloft sits between sales workflows and customer data systems such as Salesforce; misuse of tokens there can cascade into CRM exposure across many customers.
OAuth tokens: why they matter and how they fail
OAuth tokens deserve special attention because they invert traditional security assumptions. Instead of protecting a single endpoint, they grant delegated access across systems. That means:
– Excessive scopes grant more permissions than necessary, increasing blast radius when tokens are stolen.
– Long-lived refresh tokens sustain access long after initial compromise.
– Poor token storage and transmission practices make tokens easy to harvest.
– Weak monitoring and telemetry let token replay go undetected across sessions or geographies.
In this campaign, attackers capitalized on these common failures. Organizations often treat OAuth as a convenience layer rather than a critical security boundary, which leaves integrations — especially AI-driven chat agents with broad access — underprotected.
Practical remediation steps for organizations
If you used Salesloft integrations with Drift or downstream connectors like Salesforce, assume risk until you can verify otherwise. Immediate actions include:
– Revoke affected OAuth tokens and rotate credentials for service accounts and API keys.
– Enforce multifactor authentication for accounts that control integrations.
– Shorten token lifetimes and limit scopes to the minimum required for functionality.
– Require client authentication for refresh-token flows and bind tokens to specific clients or devices where possible.
– Audit and review all third-party integrations and remove unnecessary connectors.
Defenders should also harden detection: maintain comprehensive audit logs, watermark tokens where feasible, and tune anomaly detection to flag unusual OAuth usage patterns (sudden geographic changes, multiple token exchanges, or atypical API calls).
Strategic changes to reduce future risk
Beyond tactical fixes, organizations need strategic shifts to address systemic exposure from third-party AI agents. Recommended measures include:
– Pre-deployment integration risk assessments that evaluate how an AI agent handles, stores, and transmits tokens and data.
– Contractual and operational transparency requirements from vendors around token retention, revocation capabilities, and incident response timelines.
– Adoption of zero-trust principles: assume compromise of any single token and design to minimize impact through granular access control and short-lived credentials.
– Regular supply-chain and dependency reviews to identify chains of trust that could propagate compromise.
Attackers prefer scale; defenders must minimize mass impact
UNC6395’s opportunistic approach highlights a wider adversary trend: favoring workflows that scale across many targets. That means defending one server or app is no longer sufficient. Security teams must think in terms of mass-minimization — reducing the windows attackers can exploit across the entire estate by limiting token scope and lifetime, improving telemetry, and accelerating revocation.
Vendor responsibilities and transparency
Salesloft, Drift, Google Threat Intelligence Group, and Mandiant have been cited in public reporting; involved organizations have limited technical disclosure while advising customers to rotate credentials and monitor activity. Customers should press vendors for confirmation that affected tokens were revoked and for clear timelines of remediation steps. Rapid, transparent communication and verifiable remediation are essential to restoring trust when OAuth tokens are involved.
Conclusion: assume compromise, shorten the blast radius
This episode is not merely a technical cautionary tale; it’s a reminder that OAuth tokens, API grants, and third-party connectors that speed workflows can also become systemic points of failure when not governed rigorously. Treat every integration as a potential exposure vector, demand vendor transparency about token handling, and make rapid token revocation and auditability routine parts of incident playbooks. In short: assume compromise, then shorten the blast radius — because the easier it is to connect services, the harder it becomes to reason about who can actually see your sensitive data.




