The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft

Salesloft’s Drift integration suffered a theft of authentication tokens that enabled attackers (identified by Google as UNC6395) to siphon data from multiple corporate Salesforce instances between Aug 8–18, 2025 and to access a limited number of Google Workspace accounts; stolen tokens span many third-party services (Slack, AWS S3, Azure, OpenAI, etc.), creating high risk of further compromise and lateral pivoting. Google and Salesloft advise immediate invalidation of all Salesloft-related tokens; Salesloft engaged Mandiant to investigate. Attribution remains uncertain but the incident is linked contextually to voice-phishing social-engineering campaigns and criminal groups claiming responsibility on Telegram.