Salesloft & Salesforce Data Breach: OAuth Tokens Compromised
Salesloft and Salesforce have announced a significant data breach, with hackers gaining access to customer data via compromised OAuth tokens. The incident, which took place between March and June 2025, has been attributed to the Shinyhunters group and has raised concerns about the security of integrated platforms.
The breach occurred when Shinyhunters compromised a GitHub account and obtained OAuth tokens. These tokens allowed them to exfiltrate data from Salesforce customer instances, with the threat actor UNC6395 systematically exporting large volumes of data. The attack was discovered on August 9, 2025, when hackers used stolen OAuth tokens to access some Google Workspace emails via the Drift Email integration.
Salesloft has warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data. All tokens connected to the Drift platform are being treated as potentially compromised. Google Threat Intelligence Group and Mandiant have advised rotating credentials and checking for breaches. Google has also warned that the Salesloft Drift OAuth breach affects all integrations, not just Salesforce.
Salesloft and Salesforce have required admins to re-authenticate and have notified impacted users. Google urges log reviews, key revocation, and credential rotation to assess any compromise. While only accounts integrated with Salesloft were at risk, with no access to other customer accounts, the breach serves as a reminder of the importance of robust security measures and regular reviews of integrated platforms.
Read also:
- Orioles' 2025 Turnaround Powered by Late-Season Pitching Acquisitions
- The Cost of Speech is Zero, True Strength Lies in Unity
- Beginning a Food Truck Venture: Crucial Stages to Achieve Profitability
- Aiming to simplify the move towards cleaner automobiles, the newly established ministry plans to take direct action with Pannier-Runacher, Létard, and Vautrin at the helm.
