Threat Actor Exploits Drift Platform Tokens to Bypass MFA in Salesforce Breach
AI-generated from multiple sources. Verify before acting on this reporting.
A cyber threat actor identified as UNC6399 has exploited persistent, non-expiring OAuth tokens from the compromised Drift platform to bypass multi-factor authentication and access Salesforce environments belonging to more than 700 organizations globally.
The attack, detected on May 5, 2026, allowed the threat actor to infiltrate customer relationship management systems without requiring user passwords. Security researchers tracking the group noted that the actors utilized valid OAuth refresh tokens, likely obtained through prior phishing campaigns, to maintain unauthorized access to sensitive data within Salesforce, AWS, and Snowflake environments.
The breach highlights a vulnerability in authentication protocols where long-lived tokens can be weaponized to circumvent standard security measures. By leveraging these tokens, the threat actor was able to authenticate directly into corporate systems, rendering multi-factor authentication ineffective for the duration of the token's validity. The Drift platform, a customer engagement tool, served as the initial vector for the compromise, with the stolen credentials granting access to downstream integrations.
Organizations affected by the intrusion span multiple industries and geographic regions. The scope of the attack includes critical business data stored within cloud infrastructure, raising concerns about potential data exfiltration and unauthorized system manipulation. The use of non-expiring tokens suggests a deliberate strategy to maintain persistent access without triggering standard security alerts associated with repeated login attempts.
Security experts have advised affected organizations to immediately revoke compromised tokens and audit their OAuth configurations. The incident underscores the risks associated with long-lived authentication credentials in interconnected cloud ecosystems. Companies relying on third-party integrations are urged to implement stricter token expiration policies and enhance monitoring for anomalous access patterns.
The full extent of the data accessed remains unclear as organizations continue to assess the impact of the breach. Investigators are working to determine whether the threat actor exfiltrated sensitive information or merely established a foothold for future operations. The incident has prompted a broader review of authentication practices across the enterprise software sector, with calls for industry-wide standards to mitigate similar risks.
As of now, no specific data breaches have been confirmed, though the potential for unauthorized access to customer records, financial information, and proprietary business data remains a significant concern. The threat actor's identity and motivations have not been disclosed, leaving questions about the intended use of the compromised access. Security teams are monitoring for further activity as the investigation continues.