Salesloft Token Tangle: ShinyHunters Strike Salesforce Again!
Hackers breached Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce. This hack, part of a larger wave of Salesforce data breaches, is linked to the ShinyHunters group. It seems hackers have taken to data theft like ducks to water, with extortion as their quacking encore.
Hot Take:
Oh, Salesloft, you had one job: keeping those precious tokens locked up tighter than a drum, but somehow, ShinyHunters got their paws on them like they were candy! It’s like the cybercriminals are playing a game of “capture the data flag” and winning! Now, Salesforce is left with a mess bigger than a Black Friday sale!
Key Points:
- ShinyHunters, a notorious extortion group, claimed responsibility for breaching Salesloft and stealing OAuth and refresh tokens.
- Salesloft’s SalesDrift integration with Salesforce was compromised, leading to data exfiltration between August 8 and August 18, 2025.
- Threat actors targeted sensitive credentials like AWS access keys and Snowflake tokens, using SOQL queries to extract data.
- Salesforce and Salesloft collaborated to revoke tokens and urge re-authentication to curb the attack.
- Google’s Threat Intelligence team is tracking this activity under the new identifier UNC6395, while ShinyHunters continues to expand their attack tactics.
Already a member? Log in here