A widespread data theft campaign from June 8 to June 18, 2026 exploited compromised Drift‑Salesforce OAuth tokens, affecting more than 700 organizations and exposing sensitive data, including credentials embedded in support cases.

Findings are supported by Google Cloud Threat Intelligence Group, Mandiant, Arctic Wolf, and Anomali, with several vendor briefings and blogs cited to back the attribution and confidence levels.

To evade detection, the attacker deleted Salesforce asynchronous job logs and routed traffic through Tor exit nodes and cloud providers like AWS and DigitalOcean, using Python scripts and custom User‑Agent strings, though monitoring logs still captured evidence.

MITRE‑mapped actions attributed to UNC6395 include valid accounts, token theft, credential exposure, cloud discovery, automated collection, data from repositories, indicator removal, anonymization, and exfiltration over web services.

UNC6395 (Icarus) leveraged drift OAuth tokens to authenticate to Salesforce APIs, bypassing MFA and typical controls, enabling automated queries and bulk data exfiltration from Case, Contact, Account, and Opportunity objects.

The breach exposed AWS keys, Snowflake tokens, VPN credentials, and secrets embedded in support case text, but did not compromise core Salesforce or Google Workspace platforms.

Mitigation includes revoking and rotating Drift‑related OAuth tokens, reviewing Salesforce logs for unauthorized queries, scanning for exposed secrets, applying least‑privilege and zero‑trust for SaaS integrations, auditing third‑party access, and monitoring for known indicators and driver strings.

The breach window ran from June 8 to June 18, 2026, with reconnaissance starting June 9, initial compromise on June 12, bulk exfiltration through June 17, detection on June 19, and token revocation plus integration deactivation on June 20; core Salesforce and Google Workspace remained intact.

Salesloft detected the activity on June 19, 2026; OAuth tokens were revoked, the Drift integration was disabled and removed from Salesforce AppExchange on June 20, and affected organizations were notified with Google Workspace administrators alerted where relevant.