What began as a quiet investigation into suspicious Salesforce activity has escalated into one of the most significant SaaS supply chain incidents of the year. Google's Threat Intelligence Group (GTIG) reports that a threat actor, tracked as UNC6395, exploited compromised OAuth tokens from Salesloft's Drift integrations to extract data from multiple customers' Salesforce instances. The campaign ran at least from 8 to 18 August 2025. GTIG's assessment is blunt: "GTIG assesses the primary intent o
