A data theft campaign impacted over 700 organizations using the Salesloft Drift integration with Salesforce. A threat actor exploited compromised OAuth tokens to gain unauthorized API access between June 8 and June 18, 2026. The attacker systematically exported large volumes of data including support cases and contact information. Stolen records also contained embedded plaintext credentials such as AWS keys and passwords.
The breach targeted the trusted third-party connection rather than Salesforce's core platform. Salesloft and Salesforce detected the activity on June 19. Both companies revoked all integration OAuth tokens by June 20. Salesforce removed the Drift app from its AppExchange to prevent further unauthorized access.