Salesforce Data Breach – Investigated by Federman & Sherwood

Oklahoma City, Oklahoma (September 9, 2025) – The law firm of Federman & Sherwood today announced its investigation into a widespread data breach involving Salesforce environments. According to multiple reports, threat actors exploited integrations—specifically involving Salesloft’s Drift chatbot—to exfiltrate significant data from at least 700 organizations across multiple sectors.

Scope and Methodology of the Breach

• Between August 8 and August 18, 2025, malicious actors tracked as UNC6395 gained unauthorized access to Salesforce customer environments by exploiting compromised OAuth tokens via the Salesloft Drift These actors systematically extracted sensitive data such as AWS access keys, passwords, and Snowflake access tokens.
• The campaign did not exploit any vulnerabilities in Salesforce but leveraged existing OAuth permissions granted to Drift, enabling the attackers to bypass typical technical controls.

Companies Confirming Impact

Several high-profile organizations have publicly acknowledged that their Salesforce instances were accessed as part of this breach:

1. Cloudflare – Exposed customer contact details, support case data, and 104 API tokens (all rotated proactively.
2. Palo Alto Networks – Exposed business contact and internal sales account data; integration disabled swiftly.
3. Zscaler – Compromised information included customer names, business email addresses, phone numbers, job titles, locations, and basic case content.
4. Proofpoint, SpyCloud, Tanium, and Tenable have also confirmed that their Salesforce data was accessed via the compromised integration.
5. BeyondTrust, Bugcrowd, CyberArk, Cato Networks, JFrog, PagerDuty, Rubrik, and Elastic have since been added to the list of affected cybersecurity firms.
6. Workday disclosed unauthorized access to basic business contact info through a third-party CRM—likely part of this social engineering wave.
7. Google reported that its Salesforce instance was targeted by an earlier campaign attributed to a different threat cluster, UNC6040, linked to groups like ShinyHunters, involving extortion attempts via voice phishing. While separate, this illustrates broader targeting of Salesforce environments.

Breach Magnitude & Response

• Investigators estimate over 700 organizations were affected by this supply-chain incident.
• Concurrently, Google Workspace accounts that had Drift email integrations were compromised in some cases; however, access did not extend beyond those specific accounts. Google has since revoked all relevant OAuth tokens and disabled the integration.
• Salesforce cooperated with Salesloft to revoke access and has encouraged affected customers to rotate credentials and review related system activity.

Federman & Sherwood is representing impacted individuals and entities who have received notifications stemming from this breach. The firm is reviewing potential liability arising from inadequate controls around third-party integrations and evaluating the adequacy of breach response actions.

If you or your organization received a notice or believe your data may have been compromised due to the Salesforce-Salesloft Drift breach, we encourage you to contact us to understand your legal rights and explore your options.

Please complete the Data Breach Questionnaire and someone will reach out to you.