In a major cybersecurity incident affecting corporate America, hackers have stolen authentication tokens from Salesloft, the popular AI driven sales engagement platform used to convert customer interactions into Salesforce leads. The breach has left companies racing to invalidate credentials before further exploitation can occur.

According to Google, the breach extends beyond Salesforce, with attackers reportedly gaining valid tokens for hundreds of integrated services, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.

Salesloft, which counts over 5,000 customers including some high profile companies listed on its homepage, first disclosed the issue on August 20. The company initially reported a security problem in its Drift application, which powers its AI chatbot, and advised customers to re authenticate their Drift Salesforce connections. At the time, there was no indication that tokens had already been stolen.

On August 26, Google’s Threat Intelligence Group (GTIG) identified the responsible actors as UNC6395. The group used the stolen tokens to siphon large volumes of data from corporate Salesforce instances between August 8 and August 18, 2025. Google emphasized that Salesforce itself was not compromised by any platform vulnerability.

GTIG warned that attackers were mining the data for sensitive credentials, including AWS keys, VPN credentials, and Snowflake access information. “If successful, the right credentials could allow them to further compromise victim and client environments, as well as pivot to the victim’s clients or partner environments,” the report stated.

An updated GTIG advisory on August 28 revealed that attackers had accessed email in a small number of Google Workspace accounts integrated with Salesloft. More critically, Google urged organizations to immediately invalidate all tokens associated with Salesloft integrations, regardless of the third party platform involved.

In response, Salesforce blocked Drift from integrating with its platform, as well as with Slack and Pardot, on August 28.

The Salesloft breach follows a wave of social engineering campaigns targeting Salesforce users. Previous attacks, involving voice phishing to trick victims into installing malicious apps, led to data breaches and extortion attempts against companies including Adidas, Allianz Life, and Qantas.

On August 5, Google disclosed that one of its Salesforce instances had been compromised. The GTIG labeled the attackers UNC6040, who allegedly posed as the cybercrime group ShinyHunters. This group, active since 2020, is known for social engineering attacks on cloud platforms and posting stolen data to cybercrime communities such as the now defunct Breachforums.

Security experts note potential overlaps between ShinyHunters and the extortion group Scattered Spider, citing similarities in tools and techniques used. Adding to the confusion, a Telegram channel called “Scattered LAPSUS$ Hunters 4.0” was launched on August 28, claiming responsibility for the Salesloft hack without providing verifiable proof. The channel, now with nearly 40,000 subscribers, also promotes a new cybercrime forum, Breachstars, which is expected to host data from companies that refuse to pay ransom demands.

Organizations using Salesloft and its third-party integrations are being urged to act swiftly to protect their systems and data, as the full scope of the breach continues to unfold.