A large-scale theft of authentication tokens from Salesloft, developer of the corporate chatbot platform, has triggered a chain reaction of threats across digital infrastructure worldwide. According to a warning from Google, the breach affects not only data within Salesforce but also hundreds of third-party services integrated with Salesloft—including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.
Salesloft, which serves more than 5,000 clients, disclosed the issue on August 20, reporting a flaw in its Drift application—the technology powering chatbots widely deployed on corporate websites. Users were urged to reconnect Drift to Salesforce to revoke existing tokens, though at the time it was not revealed that those tokens may already have been compromised.
On August 26, the Google Threat Intelligence Group (GTIG) officially confirmed that unidentified attackers, tracked as UNC6395, had been exploiting the stolen tokens since August 8, exfiltrating massive volumes of data from corporate Salesforce instances. GTIG emphasized that the Salesforce platform itself had no vulnerabilities—the breach stemmed solely from compromised access tokens.
GTIG noted that the attackers were actively combing through stolen datasets in search of sensitive material: AWS keys, VPN accounts, Snowflake access credentials, and other cloud resources. If such credentials prove valid, they could enable further compromises of both victims’ infrastructures and those of their partners.
On August 28, Google updated its advisory, confirming that the attackers had also used tokens to access email in “a small number” of Google Workstation accounts configured to integrate with Salesloft. GTIG strongly recommended the immediate revocation of all Salesloft-related integration tokens, regardless of the connected service.
Google issued a blunt warning: all organizations using Salesloft Drift in conjunction with external platforms—including but not limited to Salesforce—must assume their data compromised and take urgent remediation measures. In response, Salesforce blocked Drift integrations with its own platform as well as with Slack and Pardot.
The incident has unfolded against the backdrop of a massive social engineering campaign. Attackers reportedly used voice-based phishing calls to persuade targets to connect malicious applications to their Salesforce instances. This campaign has already resulted in breaches and extortion attempts targeting companies such as Adidas, Allianz Life, and Qantas.
On August 5, Google confirmed that one of its own internal Salesforce instances had been compromised as part of the same campaign. GTIG attributed this attack to UNC6040, though the perpetrators themselves claimed to be the notorious ShinyHunters group and hinted at launching a data-leak site to pressure victims.
The ShinyHunters, infamous for breaches of cloud platforms and third-party providers, have released dozens of stolen databases containing millions of records since 2020, many of them on underground forums such as the now-defunct BreachForums. The group is believed to consist of a fluid network of English-speaking cybercriminals active on Telegram and Discord.
A researcher at Recorded Future observed that ShinyHunters’ tools and methods overlap in part with those of another notorious extortion outfit, Scattered Spider, suggesting possible cross-membership.
Adding further confusion, on August 28 a new Telegram channel, “Scattered LAPSUS$ Hunters 4.0”, emerged with nearly 40,000 subscribers. Its members repeatedly claimed responsibility for the Salesloft breach but provided no evidence. Instead, the channel has been used to threaten security professionals and promote a new cybercrime forum, “Breachstars”, where allegedly stolen data will be published if victims refuse to pay ransom.
Despite the noise, Google GTIG stated there is no conclusive evidence linking the Salesloft breach to ShinyHunters or any other well-known group. The most vocal members of the Telegram channel appear merely to be recycling publicly available information.
According to Joshua Wright, Senior Technical Director at Counter Hack, the success of such attacks lies in what he terms “authorization sprawl”—a scenario where attackers exploit legitimate user tokens to move stealthily across cloud and on-premises systems. No privilege escalation or endpoint bypass is required; the very mechanisms of single sign-on (SSO) and centralized authorization provide the foothold.
How the attackers gained access to all Drift tokens remains unclear. On August 27, Salesloft engaged outside experts to conduct a full investigation into the incident.
