Major Data Breach at Salesloft: Hackers Compromise Customer Tokens and Access Salesforce Data
In a significant security incident, criminal hackers have successfully infiltrated Salesloft, a prominent sales automation platform, resulting in the theft of OAuth and refresh tokens linked to its AI agent, Drift, which interfaces with Salesforce. This breach is particularly alarming as it not only affected Salesloft’s customers but also put a substantial number of Google Workspace accounts at risk, as highlighted by Google’s recent warnings.
The breach reportedly occurred between August 8 and 18, 2025. Following the incident, it was disclosed that attackers exploited compromised client tokens to extract sensitive data from various Salesforce instances. This development raises concerns about the integrity of customer data across the platform. Salesloft emphasized that while the attackers aimed to capture credentials—particularly targeting sensitive information such as AWS access keys—the incident primarily impacted users who deployed the Drift integration with Salesforce.
Working closely with Salesforce, Salesloft has proactively invalidated all active logins and refresh tokens associated with Drift to mitigate the situation. Moreover, Salesforce has temporarily removed the Drift application from its AppExchange marketplace pending a comprehensive investigation into the breach and assurances regarding the security of the platform.
The hacker group responsible, identified as UNC6395, was reported by Google Threat Intelligence. Experts indicated that upon gaining entry to a Salesforce instance, the attackers executed SOQL queries to siphon authentication tokens, passwords, and sensitive information from support tickets. By meticulously planning their tactics, the group demonstrated a high level of operational security, making it challenging to trace their activities back to compromised logs.
Researchers have analyzed how UNC6395 utilized stolen OAuth tokens to breach Google Workspace email accounts, amplifying the scope of the breach beyond its initial assessment. It was discovered that on August 9, an attacker gained access to the email accounts of a “limited number” of Google Workspace users through compromised Drift email integration tokens. This has prompted a broader advisory for all Salesloft Drift customers to consider any authentication tokens within the Drift platform as potentially compromised.
In response to the escalating concerns, Salesloft updated its security bulletin, confirming that Salesforce has disabled Drift’s integration with Salesforce, Slack, and Pardot. Despite the attribution of these attacks to UNC6395, another hacking group, ShinyHunters, alleged involvement in the breach, leading to confusion about the true origins of the attack.
In recent months, similar breaches involving Salesforce have had repercussions for several high-profile companies, including prominent brands in fashion and aviation. Researchers have identified collaborative elements between ShinyHunters and a group named Scattered Spider, now rebranded as Sp1d3rHunters, indicating a potential evolution in hacking strategies and affiliations.
Organizations utilizing the Drift integration with Salesforce are advised to conduct immediate risk assessments and protective measures to secure their systems. This attack illustrates the increasing sophistication of cyber threats, where adversaries employ various MITRE ATT&CK tactics such as initial access through credential theft, exploitation of vulnerabilities for persistence, and potential privilege escalation tactics to access sensitive information.
As such, business owners must remain vigilant and proactive in fortifying their cybersecurity measures, especially when engaging with third-party applications that interface with critical data systems. The Salesloft incident serves as a reminder of the vulnerabilities present in widely-used integrations and highlights the imperative for ongoing security enhancements across all digital platforms.
