Between August 8–18, 2025, threat actors tracked as UNC6395 exploited compromised OAuth tokens from the Salesloft Drift integration to gain unauthorized access to connected customer environments. More than 700 organizations were affected, including major technology and security vendors such as Cloudflare, Zscaler, Palo Alto Networks, and PagerDuty. Stolen data varied by organization but commonly included business contact records (names, titles, emails, phone numbers), Salesforce CRM data (Accounts, Contacts, Opportunities, Cases), and in some cases API keys, Snowflake tokens, cloud credentials, and passwords embedded in support cases. Salesloft took Drift offline following the discovery. FINRA issued a cybersecurity alert. Organizations were advised to disconnect all Salesloft integrations and rotate exposed credentials.