What was the recent breach at Salesloft about?

The breach involved hackers stealing authentication tokens for Salesloft and hundreds of online services integrated with it, potentially allowing them to access and exfiltrate data from numerous corporate Salesforce instances.

What companies are affected by the Salesloft breach?

Companies that use Salesloft and have integrated it with various online services are potentially affected by the breach.

What kind of sensitive credentials were targeted in the Salesloft breach?

Sensitive credentials such as AWS keys, VPN credentials, and Snowflake tokens were targeted in the Salesloft breach.

Why is the Salesloft breach significant?

The Salesloft breach highlights vulnerabilities inherent in AI chatbot integrations and underscores the potential for further exploitation due to the theft of critical credentials.

Salesloft AI Chatbot Breach: Hackers Steal Authentication Tokens for Multiple Services

Q: When did the data theft from the Salesloft breach begin?

The data theft began as early as August 8, 2025.

Google warns of a data breach at Salesloft, revealing hackers stole valid authentication tokens for hundreds of online services integrated with the AI chatbot. The incident began on August 8, 2025.

The recent breach at AI chatbot maker Salesloft has left many companies racing to invalidate stolen authentication tokens before hackers can exploit them. Google warns that the breach goes far beyond access to Salesforce data, noting that hackers also stole valid authentication tokens for hundreds of online services integrated with Salesloft.

What Happened

Salesloft disclosed on August 20 that it had detected a security issue in the Drift application, which powers its AI chatbot. The company urged customers to re-authenticate the connection between Drift and Salesforce apps to invalidate their existing authentication tokens. However, it was later revealed that these tokens had already been compromised prior to the disclosure.

On August 26, Google's Threat Intelligence Group (GTIG) reported that hackers, identified as UNC6395, exploited the stolen tokens to access and exfiltrate data from numerous corporate Salesforce instances. The data theft began as early as August 8, 2025, and continued through at least August 18, 2025.

The attackers targeted sensitive credentials, including AWS keys, VPN credentials, and Snowflake tokens, posing significant risks to affected organizations. Google warned that the right credentials could allow hackers to further compromise victim and client environments, as well as pivot to the victim's clients or partner environments.

Background and Context

Salesloft is a sales engagement platform founded in 2011, designed to streamline and enhance sales processes for organizations. It offers a suite of tools that assist sales teams in managing leads, tracking communications, and analyzing performance metrics. Over the years, Salesloft has integrated various technologies to provide a comprehensive solution for sales professionals.

The AI chatbot integration within Salesloft is powered by Drift, which facilitates immediate customer interactions, converting inquiries into actionable leads within the Salesforce CRM. The integration aims to enhance user experience and drive sales efficiency.

Why It Matters

The breach at Salesloft highlights the vulnerabilities inherent in AI chatbot integrations. The attackers' ability to access and steal critical credentials underscores the severity of the incident and the potential for further exploitation. The fact that hackers were able to compromise OAuth tokens associated with the Salesloft Drift third-party application raises concerns about the security of similar integrations.

The impact of this breach is not limited to Salesforce instances, as Google warned that organizations using Salesloft Drift to integrate with third-party platforms should consider their data compromised and take immediate remediation steps. This emphasizes the need for robust authentication and authorization mechanisms in place to prevent such attacks.

What Comes Next

Salesloft has taken immediate action to revoke all active access and refresh tokens for the Drift application, and notified impacted customers to re-authenticate their Salesforce connection. The company is working in collaboration with Salesforce and Google's Mandiant threat researchers to provide detailed information regarding attacker actions in affected environments.

Google's advisory emphasizes the importance of invalidating all tokens stored in or connected to Salesloft integrations, regardless of the third-party service in question. This serves as a reminder for organizations to regularly review and update their authentication mechanisms to prevent similar attacks.

Key Facts

The breach at Salesloft compromised sensitive data from multiple organizations, including AWS keys, VPN credentials, and Snowflake tokens.
The attackers exploited stolen OAuth tokens associated with the Salesloft Drift third-party application to access Salesforce instances.
Google warned that over 700 organizations could potentially have been impacted by the breach.
Salesloft has revoked all active access and refresh tokens for the Drift application, and notified impacted customers to re-authenticate their Salesforce connection.
The incident highlights the vulnerabilities inherent in AI chatbot integrations and emphasizes the need for robust authentication and authorization mechanisms.