Major Cybersecurity Firms Impacted by Salesloft Data Breach
▼ Summary
– Multiple companies, including Zscaler and Palo Alto Networks, confirmed their Salesforce instances were accessed after a breach at Salesloft by threat group UNC6395.
– Attackers used compromised OAuth credentials from August 8 to 18, 2025, to exfiltrate data from Salesforce instances of customers with Drift-Salesforce integration.
– The breach impacted over 700 companies, with attackers focusing on stealing AWS access keys, passwords, and Snowflake-related tokens for further misuse.
– Salesloft, Salesforce, and Google have disabled integrations and advised customers to revoke and rotate API keys and credentials to mitigate risks.
– Cybersecurity firms like Google Mandiant, Astrix Security, and WideField have provided guidance and indicators of compromise to help organizations investigate and respond.
A significant data breach at Salesloft has affected numerous high-profile cybersecurity firms, including Zscaler, Palo Alto Networks, PagerDuty, Tanium, and SpyCloud. The incident, attributed to a threat group identified by Google as UNC6395, involved unauthorized access to Salesforce databases through compromised OAuth credentials. While the attackers did not penetrate other internal systems, the stolen customer data poses a serious risk for targeted phishing and social engineering campaigns.
Salesloft, known for its sales engagement platform, reported that between August 8 and August 18, 2025, attackers leveraged compromised OAuth tokens to extract data from Salesforce instances linked to its Drift AI chat application. Further investigation by Google’s Threat Intelligence Group revealed that the threat actors also abused the “Drift Email” integration to access a limited number of Google Workspace email accounts.
Researchers from Astrix Security confirmed that the attackers used the Drift Email OAuth application to exfiltrate emails and, in at least one instance, attempted to access Amazon S3 buckets. WideField threat analysts observed similar suspicious activity across multiple client environments, indicating systematic searches through Salesforce databases and Gmail accounts.
More than 700 organizations are believed to have been impacted by this breach. Although customer information was taken, the primary focus of the attackers appeared to be on locating AWS access keys, passwords, and Snowflake access tokens, which could be exploited for further unauthorized access.
Salesloft has not yet disclosed how the OAuth tokens were initially compromised but has enlisted support from Mandiant and Coalition to assist with the investigation and remediation. The company has advised all Drift customers using API keys for third-party integrations to revoke existing keys and establish new connections. OAuth-based integrations are being managed directly by Salesloft.
In response, Salesforce has temporarily disabled all integrations with Salesloft technologies, including the Drift application, as a precautionary measure. Google has also suspended integration functionality between Google Workspace and Salesloft Drift while the investigation continues. Affected organizations are urged to review all third-party integrations, rotate credentials, and scan for signs of unauthorized access.
Google Mandiant has published detailed guidance for organizations to investigate potential compromises and identify exposed secrets or hardcoded credentials. Astrix and WideField have also shared indicators of compromise and specific advice related to AWS activity monitoring.
(Source: HelpNet Security)
