Alarming Cyber Assault: Hackers Plunder Sensitive Data from Salesforce in Massive Breach in 2025

Hackers Earlier this month, a coordinated cyber campaign targeted Salesforce customers, resulting in the theft of user credentials from hundreds of organizations. Researchers at the Google Threat Intelligence Group (GTIG) warned that these breaches could trigger follow-up attacks, highlighting the growing threat posed by sophisticated cybercriminals

Read More: Alarming: Zero-Day WhatsApp Flaw Weaponized to Breach Mac & iOS — Users at Risk in 2025

How the Breach Happened

The campaign, traced to a threat actor identified as UNC6395, exploited compromised OAuth tokens linked to Salesloft’s Drift AI chat agent, a widely used customer engagement tool. According to Google researchers, the hackers aimed primarily to harvest credentials and collected large amounts of data from numerous Salesforce instances.

“A threat actor used a Python tool to automate the data theft process for each targeted organization,” explained Austin Larsen, principal threat analyst at Google. “We are aware of over 700 organizations potentially impacted by this campaign.”

Importantly, the attacks did not exploit any vulnerabilities within Salesforce itself. Instead, hackers leveraged compromised OAuth tokens to gain access. Once inside, they targeted sensitive credentials, including access keys and passwords for Amazon Web Services (AWS) and access tokens for Snowflake, a popular cloud data platform.

Timeline of the Attacks

The breaches largely occurred between August 8 and August 18. By August 20, Salesloft had partnered with Salesforce to revoke all active access and refresh Drift tokens, minimizing further risk. On the same day, Salesloft issued a security alert, urging Drift administrators to reauthenticate their Salesforce connections.

Salesforce confirmed unusual activity that may have allowed unauthorized access to a limited number of customer instances. As a precaution, the company removed Salesloft Drift from its AppExchange marketplace while investigations continue.

“We’re working closely with Salesloft to investigate the situation, provide updates, and support affected customers with remediation,” Salesforce stated.

Hackers’ Operational Methods

The attackers demonstrated operational security awareness by deleting query jobs, although this did not affect event logs. Google recommends that security teams review logs to identify potential data exposure.

Charles Carmakal, CTO of Mandiant Consulting, advised that users notified of a compromise should follow Mandiant’s remediation guidance. Organizations using Drift in Salesforce should assume their data may be compromised and take immediate action:

• Revoke API keys
• Rotate credentials
• Strengthen access controls
• Scope of the Compromise

Google researchers warn that the compromise extends beyond Salesforce-Drift integration. All Salesloft Drift customers should assume any authentication token connected to Drift may be compromised.

The investigation confirmed hackers accessed OAuth tokens related to the “Drift Email” integration, and a very small number of Google Workspace accounts were compromised on August 9. There has been no broader compromise of Google Workspace or Alphabet systems.

Lessons for Organizations

This incident underscores the growing importance of third-party application security in cloud environments. Even when primary platforms like Salesforce maintain strong defenses, vulnerabilities in integrated applications can expose sensitive data. Companies leveraging third-party tools must maintain vigilant access control and continuous monitoring.

Key Takeaways:

• Review and Rotate Credentials: Revoke API keys and rotate credentials for affected users.
• Harden Access Controls: Implement multi-factor authentication (MFA) and strict role-based permissions.
• Monitor Logs: Conduct detailed audits of system logs for unusual activity.
• Stay Informed: Follow updates from Google, Salesforce, and Salesloft regarding compromised tokens or further remediation steps.

Preventing Similar Attacks

Organizations can reduce the risk of similar breaches by implementing the following measures:

• Regular Security Audits: Continuously audit third-party integrations to identify vulnerabilities.
• Token Management: Enforce strict lifecycle management for OAuth tokens and API keys, including expiration and rotation policies.
• Employee Training: Educate staff on phishing risks and verifying third-party access.
• Incident Response Preparedness: Maintain an actionable incident response plan to quickly contain breaches and notify affected stakeholders.

The Bigger Picture

The Salesforce-Salesloft breach highlights a broader cybersecurity challenge: attackers increasingly exploit trusted integrations to bypass platform security. Organizations relying on third-party tools must proactively assess the security of each application and maintain robust incident response strategies.

Google Threat Intelligence Group continues to investigate the breach and encourages organizations to review their Salesforce and Drift integrations. Any company using Drift should assume potential compromise and secure credentials and access tokens immediately.

Frequently Asked Questions:

What happened in the Salesforce data breach?

Hackers targeted Salesforce customers using compromised OAuth tokens connected to Salesloft’s Drift AI chat agent, stealing sensitive credentials from hundreds of organizations.

Who was responsible for the attack?

Google researchers traced the breach to a threat actor identified as UNC6395, who automated the attack using a Python tool.

Were Salesforce systems themselves vulnerable?

No. The attack exploited compromised third-party integration tokens, not Salesforce platform vulnerabilities.

What type of data was stolen?

Hackers primarily harvested credentials, including passwords, API keys, AWS access keys, and Snowflake tokens.

How many organizations were affected?

Google Threat Intelligence Group reported that over 700 organizations were potentially impacted.

When did the attacks occur?

The breaches occurred mainly between August 8 and August 18.

What steps have Salesforce and Salesloft taken?

They revoked active access, refreshed Drift tokens, removed Salesloft Drift from AppExchange, and notified affected customers.

Conclusion

The Salesforce data breach highlights the growing sophistication of cyberattacks, where hackers exploit third-party integrations rather than platform vulnerabilities. Organizations using Salesloft Drift and similar tools must assume potential compromise, promptly revoke credentials, and strengthen access controls. This incident underscores the critical need for proactive monitoring, regular security audits, and robust incident response strategies. Vigilance and swift action remain essential for protecting sensitive data in today’s increasingly connected cloud environment.