Rapid Response status is Operational

Wed 3
Thu 4
Fri 5
Sat 6
Sun 7
Mon 8
Tue 9
now

Rapid Response

Wed 3
Thu 4
Fri 5
Sat 6
Sun 7
Mon 8
Tue 9
now
Last updated 1 minute ago from official status page. Learn more
Stay ahead of Rapid Response outages
Sign up to create a custom dashboard to monitor the services you rely on. 3,000+ services supported.

Active Incidents

No active incidents

Recently Resolved Incidents

Salesloft Drift OAuth Token Compromise Impacting Salesforce and Integrated Systems
Started 4 Sep 2025 10:49:08 (6 days ago), resolved 4 Sep 2025 15:52:08 (5 days ago)
Major Incident
Resolved
Rapid Response

Dear Customers,

Team Axon is aware of a significant ongoing security incident involving the compromise of OAuth tokens issued to the Salesloft Drift application. These tokens have been abused by a threat actor (tracked as UNC6395) to access Salesforce instances and other integrated systems without directly breaching Salesforce itself.

This activity has enabled attackers to execute structured SOQL queries, enumerate and exfiltrate sensitive data (including customer records, credentials, and access tokens), and, in some cases, delete Salesforce jobs to obscure traces. Evidence suggests that additional connected integrations (e.g., Google Workspace via Drift Email, and others) may also be impacted.

In certain integrations, such as Google → Drift Email, attackers were able to abuse OAuth tokens to authenticate and access the integration account, allowing them to query emails, extract information, and potentially access additional data.

Early threat intelligence confirms that this campaign is widespread and actively exploited in the wild, with high-profile organizations already affected. The breadth of Drift integrations (nearly 60 third-party platforms) significantly increases the potential exposure across enterprise environments.

Recommendations:

  • Revoke OAuth tokens associated with Drift and related integrations.
  • Disable or remove the Drift application from Salesforce until security assurances are provided.
  • Rotate exposed credentials, especially API keys, AWS access tokens, Snowflake tokens, and any secrets stored in Salesforce fields.
  • Make sure Salesforce logs are being ingested into the Hunters platform.
  • Review connected integrations to Drift (Slack, Pardot, Zoom, etc.) and revoke any unnecessary permissions.

Affected organizations are at heightened risk of targeted phishing campaigns stemming from the exposure of customer and employee data. Teams must remain on high alert, closely monitor for suspicious activity, and reinforce phishing awareness among users

Our team continues to investigate the scope and technical details of this campaign. In case we observe strong indications for compromised users, we will contact the customer directly.

For further assistance, please reach out to us.

Sincerely, Team Axon

Current IOCs:

  • IP Addresses: 208.68.36.90 44.215.108.109 154.41.95.2 176.65.149.100 179.43.159.198 185.130.47.58 185.207.107.130 185.220.101.133 185.220.101.143 185.220.101.164 185.220.101.167 185.220.101.169 185.220.101.180 185.220.101.185 185.220.101.33 192.42.116.179 192.42.116.20 194.15.36.117 195.47.238.178 195.47.238.83

  • Potentially Related User Agents: Salesforce-Multi-Org-Fetcher/1.0 Salesforce-CLI/1.0

Rapid Response Outage Survival Guide

A step-by-step guide to help you survive a Rapid Response outage
NaN%

    Rapid Response Components

    Wed 3
    Thu 4
    Fri 5
    Sat 6
    Sun 7
    Mon 8
    Tue 9
    now

    Rapid Response

    Wed 3
    Thu 4
    Fri 5
    Sat 6
    Sun 7
    Mon 8
    Tue 9
    now
    Salesloft Drift OAuth Token Compromise Impacting Salesforce and Integrated Systems
    Started 4 Sep 2025 10:49:08 (6 days ago), resolved 4 Sep 2025 15:52:08 (5 days ago)
    Major Incident
    Resolved
    Rapid Response

    Dear Customers,

    Team Axon is aware of a significant ongoing security incident involving the compromise of OAuth tokens issued to the Salesloft Drift application. These tokens have been abused by a threat actor (tracked as UNC6395) to access Salesforce instances and other integrated systems without directly breaching Salesforce itself.

    This activity has enabled attackers to execute structured SOQL queries, enumerate and exfiltrate sensitive data (including customer records, credentials, and access tokens), and, in some cases, delete Salesforce jobs to obscure traces. Evidence suggests that additional connected integrations (e.g., Google Workspace via Drift Email, and others) may also be impacted.

    In certain integrations, such as Google → Drift Email, attackers were able to abuse OAuth tokens to authenticate and access the integration account, allowing them to query emails, extract information, and potentially access additional data.

    Early threat intelligence confirms that this campaign is widespread and actively exploited in the wild, with high-profile organizations already affected. The breadth of Drift integrations (nearly 60 third-party platforms) significantly increases the potential exposure across enterprise environments.

    Recommendations:

    • Revoke OAuth tokens associated with Drift and related integrations.
    • Disable or remove the Drift application from Salesforce until security assurances are provided.
    • Rotate exposed credentials, especially API keys, AWS access tokens, Snowflake tokens, and any secrets stored in Salesforce fields.
    • Make sure Salesforce logs are being ingested into the Hunters platform.
    • Review connected integrations to Drift (Slack, Pardot, Zoom, etc.) and revoke any unnecessary permissions.

    Affected organizations are at heightened risk of targeted phishing campaigns stemming from the exposure of customer and employee data. Teams must remain on high alert, closely monitor for suspicious activity, and reinforce phishing awareness among users

    Our team continues to investigate the scope and technical details of this campaign. In case we observe strong indications for compromised users, we will contact the customer directly.

    For further assistance, please reach out to us.

    Sincerely, Team Axon

    Current IOCs:

    • IP Addresses: 208.68.36.90 44.215.108.109 154.41.95.2 176.65.149.100 179.43.159.198 185.130.47.58 185.207.107.130 185.220.101.133 185.220.101.143 185.220.101.164 185.220.101.167 185.220.101.169 185.220.101.180 185.220.101.185 185.220.101.33 192.42.116.179 192.42.116.20 194.15.36.117 195.47.238.178 195.47.238.83

    • Potentially Related User Agents: Salesforce-Multi-Org-Fetcher/1.0 Salesforce-CLI/1.0