Salesloft AI Breach: Ongoing Fallout & Security Concerns
Summary of the Salesloft/Salesforce Data Breach & Associated Threat Actors
Here’s a breakdown of the information provided in the text, focusing on the key details of the data breach and the involved threat actors:
The Incident:
What happened: attackers exploited stolen access tokens from Salesloft to access and siphon data from numerous corporate Salesforce instances.
Timeline: The data theft began as early as August 8, 2025, and continued through at least August 18, 2025.
No Salesforce vulnerability: The breach wasn’t due to a flaw in the Salesforce platform itself, but rather misuse of stolen credentials.
Data Targeted: Attackers are actively searching the stolen data for credentials like AWS keys, VPN logins, and Snowflake access. Triumphant exploitation of these credentials could lead to further compromises.
Impact: Organizations using Salesloft integrations (especially with Salesforce) are urged to consider their data compromised and take immediate action. Salesforce has blocked Drift integrations with its platforms (Slack, Pardot, Salesforce itself).
Google’s Involvement: One of Google’s corporate Salesforce instances was compromised, and they were the first to publicly disclose the incident. A small number of Google Workspace accounts integrated with salesloft were also accessed.
Threat Actors Involved:
UNC6040: Google’s initial designation for the attackers who compromised their Salesforce instance.
ShinyHunters: The extortionists consistently claimed to be this group. ShinyHunters is a known threat actor specializing in social engineering to breach cloud platforms and third-party providers,and then leaking stolen databases. They’ve been active since 2020 and are responsible for numerous data leaks. Their membership is fluid, operating within Telegram and Discord communities.
Scattered Spider: There’s evidence suggesting overlap in tactics, techniques, and procedures (TTPs) between ShinyHunters and Scattered Spider, indicating potential collaboration or shared members.Scattered Spider is known for voice phishing and extortion.
“Scattered LAPSUS$ Hunters 4.0”: A newly launched Telegram channel claiming responsibility for the salesloft hack,further complicating attribution. This group appears to be a deliberate attempt to confuse the situation.
C6395: This is a designation used to identify the attackers.
Related Campaigns:
Voice Phishing Campaign: This breach follows a broader campaign using voice phishing to trick individuals into connecting malicious apps to Salesforce portals,leading to previous breaches at companies like adidas,Allianz Life,and Qantas.
Key takeaways:
This incident highlights the risk of supply chain attacks – compromising a third-party provider (Salesloft) to gain access to numerous customer systems.
Strong credential management and immediate token invalidation are crucial in mitigating the impact of such breaches.
* Attribution is complex, with multiple groups possibly involved and actively attempting to claim or obfuscate responsibility.