Salesloft Data Breach: Stolen Tokens Compromise Salesforce Instances and Customer Data
Salesloft, a popular AI chatbot used by many companies to convert customer interactions into Salesforce leads, has suffered a significant data breach. The hacker group ShinyHunters is suspected of stealing authentication tokens for multiple online services, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI. The incident, which occurred between March and June 2025, has compromised Salesforce instances and customer data.
The breach was first disclosed by Google on August 5, with the tech giant revealing that one of its corporate Salesforce instances had been compromised. Salesloft later confirmed the incident on August 20 but initially did not mention the theft of tokens. The stolen tokens provide access to not only Salesforce data but also hundreds of other online services integrated with Salesloft. Google advised organizations to immediately invalidate all tokens stored in or connected to their Salesloft integrations, regardless of the third-party service in question.
Google's Threat Intelligence Group warned on August 26 that unidentified hackers, identified as UNC6395, had been using the stolen tokens to siphon data from numerous corporate Salesforce instances since August 8, 2025. The stolen data includes sensitive credential materials such as AWS keys, VPN credentials, and Snowflake credentials, which could further compromise victim environments and their clients or partners. On August 28, Salesforce blocked Drift from integrating with its platform and related services, and Google Workspace email accounts were also accessed using the stolen tokens. This incident follows a previous voice phishing campaign that led to data breaches and extortion attacks affecting several companies, including Adidas, Allianz Life, and Qantas.
Salesloft, which has over 5,000 customers including prominent corporations, has urged customers to re-authenticate their connections to invalidate existing tokens. The incident serves as a reminder of the importance of regular security audits and the prompt invalidation of compromised credentials. The investigation into the breach is ongoing, and more details may emerge in the coming days.
Read also:
- Germany's Social Workers in High Demand Despite Salary Disparities
- Minimal Essential Synthetic Intelligences Enterprise: Essential Minimum Agents
- Tesla is reportedly staying away from the solid-state battery trend, as suggested by indications from CATL and Panasonic.
- UK automaker, Jaguar Land Rover, to commit £500 million for electric vehicle manufacturing in Merseyside
