Ethical Hacking News
The breach at AI chatbot maker Salesloft highlights the complex web of cybercrime and social engineering that has been at play in recent times. ShinyHunters, a group known for its use of social engineering to break into cloud platforms and third-party IT providers, has been linked to this breach.
Hundreds of millions of breached records were stolen in a sophisticated breach at AI chatbot maker Salesloft. The attackers, linked to ShinyHunters, used valid authentication tokens to siphon large amounts of data from corporate Salesforce instances. The breach highlights the need for companies using Salesloft Drift to take immediate action and invalidate all stored tokens. Companies must also consider implementing additional security measures to protect against social engineering attacks, such as voice phishing.
In recent days, the cybersecurity landscape has been marred by a sophisticated breach at AI chatbot maker Salesloft, which has left hundreds of millions of breached records in its wake. The breach, which was announced on August 20, 2025, revealed that the attackers had stolen valid authentication tokens for hundreds of online services, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.
According to various reports, the breach was discovered when Salesloft detected a security issue in its Drift application. The alert urged customers to re-authenticate their connections between the Drift and Salesforce apps to invalidate existing authentication tokens. However, it appears that these tokens had already been stolen by unidentified hackers tracked as UNC6395.
The attackers, who have been linked to a group known as ShinyHunters, used the access tokens to siphon large amounts of data from numerous corporate Salesforce instances. Google Threat Intelligence Group (GTIG) warned that the data theft began on August 8, 2025 and lasted through at least August 18, 2025.
In its advisory, GTIG stated that if successful, the attackers could use the stolen credentials to further compromise victim and client environments, as well as pivot to the victims' clients or partner environments. The group urged organizations using Salesloft Drift to integrate with third-party platforms (including but not limited to Salesforce) to consider their data compromised and take immediate remediation steps.
This breach highlights the complex web of cybercrime and social engineering that has been at play in recent times. ShinyHunters, a group known for its use of social engineering to break into cloud platforms and third-party IT providers, has been linked to this breach. The group's tactics, which involve using voice phishing to trick targets into connecting malicious apps to their organization's Salesforce portal, have been responsible for data breaches and extortion attacks affecting numerous companies.
One such company was Adidas, which suffered a breach in June 2025. Another affected company is Allianz Life, which reported a ransomware attack on its systems in July 2025. Qantas also fell victim to a social engineering campaign that used voice phishing to trick employees into connecting malicious apps to their organization's Salesforce portal.
In addition to these companies, numerous others have been targeted by ShinyHunters and its associates. The group has posted dozens of stolen databases on cybercrime communities like the now-defunct Breachforums.
The breach at Salesloft also raises questions about the security measures in place for AI chatbot makers. Drift, the technology that powers the AI chatbots used by numerous corporate websites, is designed to provide seamless integration with Salesforce and other third-party platforms. However, it appears that this integration has created a vulnerability that attackers can exploit.
Salesloft has announced that its products are trusted by 5,000+ customers, including some of the bigger names in the industry. The company's homepage features a number of prominent logos, including those of major brands such as Salesforce, Slack, and Pardot.
In light of this breach, it is essential for companies using Salesloft Drift to take immediate action. They must invalidate all tokens stored in or connected to their Salesloft integrations, regardless of the third-party service in question. This will help prevent further exploitation by attackers.
Furthermore, organizations should consider implementing additional security measures to protect themselves against social engineering attacks. Voice phishing is a common tactic used by attackers to trick employees into connecting malicious apps to their organization's systems. Therefore, it is crucial for companies to educate their employees about the dangers of voice phishing and implement robust training programs to prevent such attacks.
In conclusion, the breach at Salesloft highlights the complex web of cybercrime and social engineering that has been at play in recent times. The attackers, linked to ShinyHunters, used sophisticated tactics to steal hundreds of millions of breached records. Companies using Salesloft Drift must take immediate action to protect themselves against further exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Salesloft-Breach-A-Complex-Web-of-Cybercrime-and-Social-Engineering-ehn.shtml
Published: Mon Sep 1 17:41:38 2025 by llama3.2 3B Q4_K_M
