Major Cyberattack on Salesforce Affects Over 700 Companies
Over 700 companies have been affected by a major cyberattack targeting Salesforce's customer service data. The incident, which occurred between March and June 2025, saw hackers from the Shinyhunters group steal over 1.5 billion records. The breach was facilitated through Salesloft's Drift integrations with Salesforce's customer relationship management (CRM) systems.
The attack focused on Salesloft Drift, a third-party AI platform connected to Salesforce's data storage systems. Google's incident responders revealed that hackers systematically exported large volumes of data from numerous corporate Salesforce instances, aiming to steal sensitive credentials. Cloudflare's investigation found that customer contact information, support tickets, and API tokens were compromised, with 104 Cloudflare API tokens affected.
Atlanta-based Salesloft confirmed that a threat actor used stolen credentials to exfiltrate data from its customers' Salesforce instances, tracing the breaches back to Drift, an AI chatbot company acquired by Salesloft last year. Salesloft took the Drift platform offline and paused the Salesforce-Salesloft integration while an investigation is conducted. Zscaler and Palo Alto Networks also confirmed they were affected, with similar data accessed, including business contact details and specific Salesforce-related content.
Incident responders from Mandiant warned over a week ago about a threat actor (UNC6395) targeting data stored on Salesforce between August 8 and August 18.
More than 700 companies may have been attacked as part of the campaign, with the hackers' goal appearing to be stealing further secrets and tokens that could be used to compromise other victim environments. Several large tech companies confirmed that customer data was stolen during the wide-ranging data theft incident.
