Salesforce & Salesloft Data Breach: 10 Days of Unauthorized Access
Salesforce and Salesloft have confirmed a data breach affecting their customers' contact information. The breach, attributed to the UNC6395 threat actor, occurred between August 8 and 18, 2025.
The breach exploited legitimate OAuth authentication mechanisms, bypassing traditional security controls. UNC6395 harvested credentials and sensitive data, including AWS keys, Snowflake tokens, and passwords. The compromised data included commonly available business contact details and Salesforce-specific content. Unit 42 recommended immediate investigation and log review, while Zscaler confirmed the breach was limited to the Salesforce environment. Palo Alto Networks and Zscaler have also confirmed they were affected. Salesforce invalidated active tokens and removed Drift from AppExchange, and disabled all integrations between Salesforce and Salesloft technologies.
The threat actor, UNC6395, also known as Cold River, has primarily targeted governments, think tanks, and academic institutions. Salesforce and Salesloft are the only publicly identified corporate victims. Customers are advised to monitor their accounts and change passwords if necessary.
Read also:
- Unveiling the Less-Discussed Disadvantages of Buds - Revealing the Silent Story
- "In a daring decision, Battlefield 6 forgoes ray tracing - understanding the advantages this choice brings"
- Dubai's WETEX 2023: Global Showcase for Clean Energy & Sustainability
- Nissan Bolsters Supply Chain Compliance with New Manager and Digital Tools
