Here’s a news article based on the provided text, optimized for search engines and reader engagement:
Headline: Salesloft Hack Exposes Data across Salesforce, Slack, Google Workspace, and More
Introduction:
A recent security breach at Salesloft, a company specializing in AI-powered sales engagement tools, has sent shockwaves through the corporate world. Hackers successfully stole authentication tokens, granting them access to a wide range of integrated services, including Salesforce, Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI. This incident highlights the growing risks associated with third-party integrations and the potential for widespread data compromise.
Key Takeaways:
Broad Impact: The stolen authentication tokens allowed hackers to access numerous online services integrated with Salesloft,potentially impacting thousands of businesses.
Data Exfiltration: The Google Threat Intelligence Group (GTIG) confirmed that attackers siphoned large amounts of data from corporate salesforce instances, starting as early as August 8, 2025.
Credential Harvesting: Attackers are actively searching the stolen data for valuable credentials, such as AWS keys, VPN credentials, and Snowflake access, to further compromise victim environments.
Immediate Action Required: Google advises organizations using Salesloft Drift to integrate with third-party platforms to consider their data compromised and take immediate remediation steps, including invalidating all tokens.
Salesforce Response: Salesforce has blocked Drift from integrating with its platform, as well as Slack and Pardot, to mitigate the risk.
The Timeline of Events:
- August 20, 2025: Salesloft discloses a security issue in its Drift application, urging customers to re-authenticate their Salesforce connections.
- August 26,2025: Google’s GTIG warns of data theft from salesforce instances via stolen Salesloft access tokens,attributing the attacks to the group UNC6395.
- August 28, 2025: GTIG updates its advisory, acknowledging access to Google Workspace accounts and urging organizations to invalidate all Salesloft-related tokens.
- August 28, 2025: Salesforce blocks Drift integrations with its platform and other services.
The Bigger Picture: Social Engineering and Authorization Sprawl
This incident follows a series of social engineering attacks targeting Salesforce portals, including those affecting major companies like Adidas, Allianz Life, and Qantas. These attacks frequently enough exploit “authorization sprawl,” where attackers abuse legitimate user access tokens to move undetected between systems.
Who is Responsible?
While a Telegram channel called “Scattered LAPSUS$ Hunters 4.0” has claimed responsibility,Google’s threat analysts have found no compelling evidence to link the salesloft activity to known groups like ShinyHunters or Scattered Spider.The investigation is ongoing.
Expert Analysis:
Joshua Wright of Counter Hack emphasizes that attackers are increasingly leveraging centralized identity platforms and integrated authentication schemes, making it harder to detect malicious activity.
Salesloft’s Response:
Salesloft has hired Mandiant, Google Cloud’s incident response division, to investigate the root cause of the breach.
Call to Action:
Organizations using Salesloft and its integrations should instantly:
Invalidate all authentication tokens connected to Salesloft. Review access logs for any suspicious activity.
Strengthen security protocols for third-party integrations.
* Monitor for potential data breaches and credential compromise.
Keywords: Salesloft, Salesforce, data breach, security incident, authentication tokens, Google Threat Intelligence Group, UNC6395, Drift, Slack, Google Workspace, Amazon S3, Microsoft Azure, openai, ShinyHunters, scattered Spider, social engineering, authorization sprawl, Mandiant, data exfiltration, credential harvesting.