Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
Summary
Hide ▲
Show ▼
The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.
Timeline
-
15.09.2025 00:56 2 articles · 14d ago
FBI issues FLASH alert on UNC6040 and UNC6395 Salesforce data theft campaigns
The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. UNC6040 has conducted social engineering attacks primarily vishing to access organizations' Salesforce accounts. UNC6040 would pose as IT support employees and call the target's call center, claiming that they're addressing "enterprise-wide connectivity issues." UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies' Salesforce instances to exfiltrate customer data. In some cases, the attackers would trick the employee into visiting a phishing page in order to gain initial access, before using API calls to harvest data. In other cases, the attacker simply requests login or MFA credentials. UNC6040 tricks organizations into authorizing malicious apps to connect to the org's Salesforce portal. The application, often a modified version of Salesforce's Data Loader, gives threat actors the ability to exfiltrate large amounts of sensitive data while bypassing authentication requirements. The applications are created via Salesforce trial accounts, which do not require a legitimate corporate account register the apps. Some UNC6040 victims have then received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data. The FBI alert said that on August 20, Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application, terminating any threat actor access to victims' Salesforce platforms from the previously connected Salesloft app. Salesforce re-enabled integrations with Salesloft technologies, with the exception of any Drift app, and that Drift will remain disabled until further notice. The campaigns were not limited to Salesloft's Drift integration, and the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. These campaigns do not involve any vulnerability in the Salesforce platform. The FBI recommends organizations train call center employees to recognize and report phishing attempts, require employees use phishing-resistant MFA, implement "authentication, authorization, and accounting (AAA) systems to limit actions users can perform," enforce IP-based access restrictions, monitor network logs and browser activity for signs of compromise, and review all third-party connections to software instances. The advisory includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.
Show sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
-
08.09.2025 18:26 3 articles · 21d ago
Salesloft identifies GitHub account compromise as breach origin
The article provides further details on the initial breach of Salesloft's GitHub account in March 2025, which led to the theft of Drift OAuth tokens. The compromise allowed threat actors to access customer data across various integrations, including Salesforce and Google Workspace. The article also confirms the involvement of the ShinyHunters extortion gang and threat actors claiming to be Scattered Spider in the attacks.
Show sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
-
03.09.2025 19:40 3 articles · 26d ago
Workiva confirms data breach due to Salesloft Drift OAuth compromise
Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach via Salesloft Drift OAuth tokens. The breach impacted over 700 organizations, including Workiva, and exposed customer information. Workiva's customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, and Mercedes-Benz. The threat actors exfiltrated a limited set of business contact information, including names, email addresses, phone numbers, and support ticket content. Workiva stated that its platform and any data within it were not accessed or compromised, and that the breach was limited to the third-party CRM system.
Show sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
-
03.09.2025 06:53 3 articles · 26d ago
Salesloft engages cybersecurity partners for incident response
Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key.
Show sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
-
02.09.2025 22:54 3 articles · 27d ago
Cloudflare confirms data breach due to Salesloft Drift OAuth compromise
Cloudflare was impacted by the Salesloft Drift supply-chain attack, revealing that attackers accessed a Salesforce instance used for customer case management and support, containing 104 Cloudflare API tokens. The breach involved the theft of text-based data from Salesforce case objects, including customer support tickets and associated data, between August 12 and August 17. Cloudflare suspects the threat actor intended to harvest credentials and customer information for future attacks.
Show sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
-
02.09.2025 15:00 4 articles · 27d ago
Palo Alto Networks confirms data breach due to Salesloft Drift OAuth compromise
The Palo Alto Networks incident was limited to its Salesforce CRM and did not affect any of its products, systems, or services. The threat actor searched for secrets, including AWS access keys, VPN and SSO login strings, Snowflake tokens, and generic keywords such as "secret," "password," or "key."
Show sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
-
01.09.2025 20:00 4 articles · 28d ago
Zscaler reports data breach due to compromised Salesloft Drift credentials
The customer information stolen from Zscaler's Salesforce instance includes names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases.
Show sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
-
29.08.2025 10:24 5 articles · 1mo ago
Google Workspace email accounts accessed via stolen OAuth tokens
The article confirms that the threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets.
Show sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
-
27.08.2025 12:39 16 articles · 1mo ago
Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
The breach has expanded to include Stellantis, a multinational automotive corporation, which confirmed that attackers stole customer contact information from its North American customers. The breach occurred via a third-party service provider's platform supporting Stellantis' customer service operations. ShinyHunters claimed responsibility for the Stellantis data breach and stated they stole over 18 million Salesforce records. The extortion group has targeted numerous high-profile companies, including Google, Cisco, Qantas, Adidas, and others. ShinyHunters used stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to steal sensitive information.
Show sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
Information Snippets
-
The breach involved the exploitation of OAuth tokens associated with the Drift AI chat agent integrated with Salesloft.
First reported: 27.08.2025 12:394 sources, 16 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actor, UNC6395, targeted Salesforce customer instances through compromised OAuth tokens.
First reported: 27.08.2025 12:394 sources, 16 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The campaign was active from August 8 to at least August 18, 2025.
First reported: 27.08.2025 12:394 sources, 10 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
-
Over 700 organizations were potentially impacted by the breach.
First reported: 27.08.2025 12:394 sources, 12 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
-
The attackers exported large volumes of data, including AWS access keys, passwords, and Snowflake access tokens.
First reported: 27.08.2025 12:394 sources, 15 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft identified the security issue on August 20, 2025, and revoked connections between Drift and Salesforce.
First reported: 27.08.2025 12:394 sources, 11 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesforce confirmed that a small number of customers were impacted and that the issue stemmed from a compromise of the app's connection.
First reported: 27.08.2025 12:394 sources, 12 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6395 demonstrated operational security awareness by deleting query jobs to cover their tracks.
First reported: 27.08.2025 12:393 sources, 8 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
-
The targeted organizations included security and technology companies, indicating a potential supply chain attack strategy.
First reported: 27.08.2025 12:394 sources, 12 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service.
First reported: 27.08.2025 22:054 sources, 13 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys.
First reported: 27.08.2025 22:054 sources, 13 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat group ShinyHunters claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise.
First reported: 27.08.2025 22:054 sources, 12 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics.
First reported: 27.08.2025 22:054 sources, 14 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040.
First reported: 27.08.2025 22:054 sources, 14 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach impacts all integrations connected to the Drift platform, not just Salesforce.
First reported: 29.08.2025 10:244 sources, 14 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers used stolen OAuth tokens to access email from a small number of Google Workspace email accounts on August 9, 2025.
First reported: 29.08.2025 10:244 sources, 14 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Google revoked the specific OAuth tokens granted to the Drift Email application and disabled the integration functionality between Google Workspace and Salesloft Drift.
First reported: 29.08.2025 10:244 sources, 14 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesforce temporarily disabled all Salesloft integrations with Salesforce.
First reported: 29.08.2025 10:244 sources, 13 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft stated there is no evidence of malicious activity detected in the Salesloft integrations related to the Drift incident.
First reported: 29.08.2025 10:244 sources, 11 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Zscaler reported a data breach after threat actors accessed its Salesforce instance via compromised Salesloft Drift credentials.
First reported: 01.09.2025 20:004 sources, 12 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach exposed customer information, including names, business email addresses, job titles, phone numbers, regional details, product licensing information, and support case contents.
First reported: 01.09.2025 20:004 sources, 12 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Zscaler has revoked all Salesloft Drift integrations, rotated API tokens, and strengthened customer authentication protocols.
First reported: 01.09.2025 20:004 sources, 12 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Google Threat Intelligence identified UNC6395 as the actor behind the attacks, targeting sensitive credentials such as AWS access keys, passwords, and Snowflake tokens.
First reported: 01.09.2025 20:004 sources, 12 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The Salesloft supply-chain attack impacted Drift Email, allowing access to Google Workspace email accounts.
First reported: 01.09.2025 20:004 sources, 12 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Some researchers suggest a potential overlap between the Salesloft Drift compromise and recent Salesforce data theft attacks by the ShinyHunters extortion group.
First reported: 01.09.2025 20:004 sources, 13 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks suffered a data breach that exposed customer data and support cases after attackers abused compromised OAuth tokens from the Salesloft Drift breach to access its Salesforce instance.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks was one of hundreds of companies affected by the supply-chain attack.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers exfiltrated business contact information, account records, and basic case data.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers searched for AWS access keys, Snowflake tokens, VPN and SSO login strings, and generic keywords such as "password," "secret," or "key."
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers used automated tools, including custom Python scripts, to steal data.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers deleted logs and used Tor to evade detection.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks has revoked the associated tokens and rotated credentials.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks recommends investigating Salesforce, identity provider, and network logs for potential compromise.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks recommends reviewing all Drift integrations for suspicious connections.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks recommends revoking and rotating authentication keys, credentials, and secrets.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks recommends using automated tools to scan code repositories for embedded authentication keys or tokens.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks, Salesforce, and Google have disabled Drift integrations while the investigation continues.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The Salesloft supply chain attack has impacted other companies, including Zscaler and Google.
First reported: 02.09.2025 15:004 sources, 11 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Cloudflare was impacted by the Salesloft Drift supply-chain attack, revealing that attackers accessed a Salesforce instance used for customer case management and support, containing 104 Cloudflare API tokens.
First reported: 02.09.2025 22:544 sources, 11 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Cloudflare was notified of the breach on August 23 and informed impacted customers on September 2.
First reported: 02.09.2025 22:544 sources, 11 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Cloudflare rotated all 104 exfiltrated tokens and found no suspicious activity linked to these tokens.
First reported: 02.09.2025 22:544 sources, 11 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach involved the theft of text-based data from Salesforce case objects, including customer support tickets and associated data, but no attachments, between August 12 and August 17.
First reported: 02.09.2025 22:544 sources, 11 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The exfiltrated data included customer contact information, case subjects, and bodies, which may contain sensitive information like access tokens.
First reported: 02.09.2025 22:544 sources, 11 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Cloudflare suspects the threat actor intended to harvest credentials and customer information for future attacks.
First reported: 02.09.2025 22:544 sources, 10 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actor searched for secrets, including AWS access keys, VPN and SSO login strings, Snowflake tokens, and generic keywords such as "secret," "password," or "key."
First reported: 02.09.2025 22:544 sources, 11 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The Palo Alto Networks incident was limited to its Salesforce CRM and did not affect any of its products, systems, or services.
First reported: 02.09.2025 22:544 sources, 10 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft is taking Drift offline to review the application and build additional security measures.
First reported: 03.09.2025 06:534 sources, 9 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft is working with cybersecurity partners Mandiant and Coalition for incident response.
First reported: 03.09.2025 06:534 sources, 9 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach impacted more than 700 organizations, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, and Zscaler.
First reported: 03.09.2025 06:534 sources, 7 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesforce temporarily disabled all Salesloft integrations with Salesforce as a precautionary measure.
First reported: 03.09.2025 06:534 sources, 9 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actor intended to harvest credentials and customer information for future attacks.
First reported: 03.09.2025 06:534 sources, 9 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actor tracked as GRUB1 by Cloudflare was involved in the campaign.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The campaign was attributed to a threat actor tracked as UNC6395 by Google and GRUB1 by Cloudflare.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers used Salesloft integration credentials to access Cloudflare's Salesforce instance.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers ran queries for several days for reconnaissance and launched a Salesforce Bulk API 2.0 job on August 17 to exfiltrate a database in roughly three minutes.
First reported: 03.09.2025 12:534 sources, 8 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers exfiltrated customer contact information and basic support case data, which could expose customer configuration and sensitive information such as logs, tokens, and passwords.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Cloudflare found 104 Cloudflare API tokens in the compromised data and rotated all of them as a precautionary measure.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The customer information stolen from Zscaler's Salesforce instance includes names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks confirmed it was one of hundreds of customers impacted by the supply chain attack targeting the Salesloft Drift application that exposed Salesforce data.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data from Palo Alto Networks.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks is in the process of directly notifying any impacted customers.
First reported: 03.09.2025 12:534 sources, 8 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actor intended to harvest credentials and customer information for future attacks, potentially launching targeted attacks against customers across the affected organizations.
First reported: 03.09.2025 12:534 sources, 9 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach via Salesloft Drift OAuth tokens.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Workiva's customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, and Mercedes-Benz.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actors exfiltrated a limited set of business contact information from Workiva, including names, email addresses, phone numbers, and support ticket content.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Workiva's cloud software helps collect, connect, and share data for financial reports, compliance, and audits.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Workiva had 6,305 customers at the end of last year and reported revenues of $739 million in 2024.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Workiva warned impacted customers to remain vigilant, as the stolen information could be used in spear-phishing attacks.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Workiva stated that its platform and any data within it were not accessed or compromised.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Workiva's CRM vendor notified them of unauthorized access via a connected third-party application.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach was part of the recent wave of Salesforce data breaches linked to the ShinyHunters extortion group.
First reported: 03.09.2025 19:403 sources, 8 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attack affected other Salesloft integrations beyond Salesforce.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Okta successfully prevented a breach of its Salesforce instance despite threat actor efforts.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Okta's defenses included enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Okta recommends organizations demand IPSIE integration from application vendors and implement an identity security fabric.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Palo Alto Networks' Unit 42 recommended organizations conduct an immediate log review for signs of compromise and rotate exposed credentials.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft revoked active access and refresh tokens in Drift, and Salesforce disabled all Salesloft integrations to Salesforce until further notice.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Google advised all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.
First reported: 04.09.2025 19:523 sources, 7 articlesShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The Salesloft breach began with the compromise of its GitHub account, accessed by UNC6395 from March to June 2025.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actor accessed multiple repositories, added a guest user, and established workflows.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled.
First reported: 08.09.2025 18:263 sources, 6 articlesShow sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies — thehackernews.com — 08.09.2025 18:26
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach began with the compromise of Salesloft's GitHub account in March 2025, leading to the theft of Drift OAuth tokens later used in widespread Salesforce data theft attacks in August 2025.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft first disclosed a security issue in the Drift application on August 21 and revealed more details about malicious exploitation of the OAuth tokens five days later.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Mandiant confirmed that the attackers performed reconnaissance activities in Salesloft and Drift environments between March and June 2025.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The activity escalated after the threat actors breached Drift's AWS environment, allowing them to steal the OAuth tokens used to access customer data across technology integrations, including Salesforce and Google Workspace.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft states that it rotated credentials, hardened defenses, and verified segmentation from Drift, which had its infrastructure isolated and credentials also rotated.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
With the help of Mandiant, the firm conducted threat hunting and found no additional indicators of compromise, meaning that the threat actor does not have a foothold on its environment anymore.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Mandiant has validated containment and segmentation, and engagement has now shifted to forensic quality assurance review.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
A subsequent update announced the restoration of the Salesloft integration with Salesforce, following the precautionary suspension triggered by the Drift security incident.
First reported: 08.09.2025 18:432 sources, 5 articlesShow sources
- Salesloft: March GitHub repo breach led to Salesforce data theft attacks — www.bleepingcomputer.com — 08.09.2025 18:43
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The threat actor, tracked as UNC6395, compromised Salesloft's GitHub account as early as March 2025.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6395 conducted reconnaissance in the Salesloft and Drift application environments between March and June 2025.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6395 gained access to Drift's AWS environment and stole OAuth tokens for Drift customers' technology integrations.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft's update on Mandiant's investigation provided more clarity on how the campaign unfolded.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
GitHub has emerged as a rich attack vector for a variety of threat actors in recent years, for everything from code poisoning campaigns to developer-focused supply chain attacks.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Drift customers that had their Salesforce instances breached include Zscaler, Proofpoint, Palo Alto Networks, and Cloudflare.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
More victims have emerged, including Tenable and Qualys, joining an already long list that includes technology companies Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft said the campaign did not affect customers who don't use the company's Drift-Salesforce integration.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Cloudflare said in its disclosure that it was just one of "hundreds of other companies" targeted in the supply chain campaign.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesforce had disabled all integrations with Salesloft, but integration between its platform and Salesforce has resumed.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesforce said it has restored integrations with Salesloft products and technologies with the exception of any Drift app.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Drift will remain disabled until further notice as part of the continued response to the security incident.
First reported: 08.09.2025 23:172 sources, 4 articlesShow sources
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6040 was first disclosed by Google Threat Intelligence (Mandiant) in June, who warned that since late 2024, threat actors were using social engineering and vishing attacks to trick employees into connecting malicious Salesforce Data Loader OAuth apps to their company's Salesforce accounts.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
In some cases, the threat actors impersonated corporate IT support personnel, who used renamed versions of the application called "My Ticket Portal."
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Once connected, the threat actors used the OAuth application to mass-exfiltrate corporate Salesforce data, which was then used in extortion attempts by the ShinyHunters extortion group.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
In these early data theft attacks, ShinyHunters primarily targeted the "Accounts" and "Contacts" database tables, which are both used to store data about a company's customers.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
These data theft attacks were widespread, impacting large and well-known companies, such as Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Later data theft attacks in August also targeted Salesforce customers, but this time utilized stolen Salesloft Drift OAuth and refresh tokens to breach customers' Salesforce instances.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
This activity is tracked as UNC6395 and is believed to have occurred between August 8th and 18th, with the threat actors using the tokens to target the company's support case information that was stored in Salesforce.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The exfiltrated data was then analyzed to extract secrets, credentials, and authentication tokens shared in support cases, including AWS keys, passwords, and Snowflake tokens. These credentials could then be used to pivot to other cloud environments for additional data theft.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesloft worked with Salesforce to revoke all Drift tokens and required customers to reauthenticate to the platform.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
It was later revealed that the threat actors also stole Drift Email tokens, which were used to access emails for a small number of Google Workspace accounts.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
An investigation by Mandiant determined the attack originated in March, when Salesloft's GitHub repositories were compromised, allowing attackers to ultimately steal the Drift OAuth tokens.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI did not name the groups behind these campaigns, but BleepingComputer was told by the ShinyHunters extortion group that they and other threat actors calling themselves "Scattered Lapsus$ Hunters" were behind both clusters of activity.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
This group of hackers claims to have originated from and overlap with the Lapsus$, Scattered Spider, and ShinyHunters extortion groups.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
On Thursday, the threat actors announced via a domain associated with BreachForums that they planned to "go dark" and stop discussing operations on Telegram.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
In a parting post, the hackers claimed to have gained access to the FBI's E-Check background check system and Google's Law Enforcement Request system, publishing screenshots as proof.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
If legitimate, this access would allow them to impersonate law enforcement and pull sensitive records of individuals.
First reported: 15.09.2025 00:562 sources, 3 articlesShow sources
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6040 has conducted social engineering attacks primarily vishing to access organizations' Salesforce accounts.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6040 would pose as IT support employees and call the target's call center, claiming that they're addressing "enterprise-wide connectivity issues."
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies' Salesforce instances to exfiltrate customer data.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
In some cases, the attackers would trick the employee into visiting a phishing page in order to gain initial access, before using API calls to harvest data.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
In other cases, the attacker simply requests login or MFA credentials.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
UNC6040 tricks organizations into authorizing malicious apps to connect to the org's Salesforce portal.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The application, often a modified version of Salesforce's Data Loader, gives threat actors the ability to exfiltrate large amounts of sensitive data while bypassing authentication requirements.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The applications are created via Salesforce trial accounts, which do not require a legitimate corporate account register the apps.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Some UNC6040 victims have then received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI alert said that on August 20, Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application, terminating any threat actor access to victims' Salesforce platforms from the previously connected Salesloft app.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Salesforce re-enabled integrations with Salesloft technologies, with the exception of any Drift app, and that Drift will remain disabled until further notice.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The campaigns were not limited to Salesloft's Drift integration, and the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
These campaigns do not involve any vulnerability in the Salesforce platform.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI recommends organizations train call center employees to recognize and report phishing attempts.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI recommends organizations require employees use phishing-resistant MFA.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI recommends organizations implement "authentication, authorization, and accounting (AAA) systems to limit actions users can perform."
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI recommends organizations enforce IP-based access restrictions.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI recommends organizations monitor network logs and browser activity for signs of compromise.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The FBI recommends organizations review all third-party connections to software instances.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The advisory includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.
First reported: 15.09.2025 23:022 sources, 2 articlesShow sources
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Stellantis, a multinational automotive corporation, confirmed a data breach affecting its North American customers.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach occurred via a third-party service provider's platform supporting Stellantis' customer service operations.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The attackers stole customer contact information, but no financial or other sensitive personal information was compromised.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
Stellantis activated incident response protocols, initiated a comprehensive investigation, and notified affected customers.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The breach is part of a recent wave of Salesforce data breaches linked to the ShinyHunters extortion group.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
ShinyHunters claimed responsibility for the Stellantis data breach and stated they stole over 18 million Salesforce records.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
ShinyHunters used stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to steal sensitive information.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
-
The extortion group has targeted numerous high-profile companies, including Google, Cisco, Qantas, Adidas, and others.
First reported: 22.09.2025 21:011 source, 1 articleShow sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
Similar Happenings
ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection
A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations
The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.
GeoServer RCE Exploit Used in Federal Agency Breach
A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.
GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens
GitHub is implementing enhanced security measures to protect the npm ecosystem, including mandatory two-factor authentication (2FA) and short-lived tokens. These changes aim to mitigate supply chain attacks, such as the recent "s1ngularity", "GhostAction", and "Shai-Hulud" attacks, which involved a self-replicating worm and compromised thousands of accounts and private repositories. The measures include granular tokens with a seven-day expiration, trusted publishing using OpenID Connect (OIDC), and automatic generation of provenance attestations for packages. Additionally, GitHub is deprecating legacy tokens and TOTP 2FA, expanding trusted publishing options, and gradually rolling out these changes to minimize disruption. GitHub removed over 500 compromised packages and blocked new packages containing the Shai-Hulud malware's indicators of compromise. The company encourages NPM maintainers to use NPM-trusted publishing and strengthen publishing settings to require 2FA. Ruby Central is also tightening governance of the RubyGems package manager to improve supply-chain protections.