Sep. 2, 2025

Hackers exploit Salesloft breach to steal cloud data

Image (c) ConsumerAffairs. A security breach at Salesloft exposed thousands of companies' data, raising concerns about potential cyberattacks.

Earlier reports misinterpreted the breach as directly tied to Google

James R. Hood, Founder and Editor

• Sep. 2, 2025

Add ConsumerAffairs on Google

Hackers stole digital keys from Salesloft’s chatbot platform, exposing thousands of companies
Google says attackers tapped into Salesforce, Slack, Google Workspace, Amazon, Microsoft and more
Experts warn stolen credentials could open the door to wider cyberattacks

A major security breach at Salesloft, a company whose AI chatbot is widely used to generate sales leads, has turned into a far-reaching cyber incident that could ripple across corporate America.

Google security researchers said hackers stole authentication tokens — digital keys that connect apps and services — from Salesloft earlier this month. Those stolen keys gave intruders access not just to Salesforce data but also to a wide range of other services companies connect through Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure and even OpenAI.

The report from Google researchers was misinterpreted over the weekend as bring about a breach of Google's Gmail service. Instead, Google had been advising its millions of clients to update their passwords after detecting evidence of a major internet breach.

'Security issue'

Salesloft, which says it serves more than 5,000 customers, first disclosed on August 20 that it had detected a “security issue” in its Drift application and urged clients to re-authenticate their Salesforce connections. At the time, the company did not reveal that tokens had already been stolen.

According to Google, the theft began around August 8 and lasted for at least 10 days, during which attackers pulled large amounts of data from Salesforce systems. Investigators say the hackers are combing through the stolen material for sensitive information such as cloud service logins and corporate VPN credentials that could be used in further attacks.

Google also confirmed that a handful of Google Workspace accounts tied to Salesloft integrations were accessed. On August 28, Salesforce cut off Salesloft’s Drift app from linking with its own platforms, including Slack and Pardot, to prevent further damage.

The breach comes on the heels of earlier phishing campaigns that targeted Salesforce users at major brands such as Adidas and Qantas. Cybersecurity experts warn that the same group of hackers — believed to be linked to the ShinyHunters gang — could soon use the stolen data in extortion schemes or public data leaks.

What you need to know

If your company uses Salesloft: assume data tied to it could be exposed.
Act fast: reset or revoke any connected credentials for Salesforce, Slack, Google Workspace, AWS, Microsoft, or other linked services.
Stay alert: watch for signs of follow-on attacks such as phishing, extortion attempts, or unauthorized logins.
All internet users should regularly change their passwords and keep them confidential. Avoid clicking on links or replyiing to emails from unknown sources.

Thanks for subscribing.

You have successfully subscribed to our newsletter! Enjoy reading our tips and recommendations.

James R. HoodFounder and Editor

ConsumerAffairs' founder and former editor, Jim Hood formerly headed Associated Press Broadcast News, directing coverage of major news events worldwide. He also served as Senior Vice President of United Press International and was the founder and editor of Zapnews, a newswire service for radio and television. Write to him at jhood@consumeraffairs.com

Read Full Bio

Was this article helpful?

Share your experience about ConsumerAffairs

Yes