The Salesforce Breach Wave Of 2025: Google, Workday, And Salesloft

Hardly a week goes by without news of another corporate data breach. In 2025, cyberattacks against cloud services like CRM platforms have surged, as threat actors exploit the identity trust and connectivity built into these systems to breach high-value targets.

Two recent events stand out: the Salesforce campaign that compromised Google, Workday, and other companies, and the Salesloft Drift OAuth token breach. Both show how cybercriminals steal data using social engineering and third-party services. We examine each incident below and discuss the most important lessons businesses can learn about security.

In August 2025, HR software provider Workday confirmed a data breach linked to its use of Salesforce’s CRM platform. Attackers accessed a database of business contact information, including names, phone numbers, and emails for up to 11,000 corporate customers and 70 million individual user records. The breach was discovered on August 6 and was part of a broader wave of cyberattacks targeting Salesforce customers. Other organizations like Google and Cisco were also listed among the victims.

Around the same time, Google disclosed that one of its own Salesforce instances had been breached. The incident (traced back to June 2025) involved a Salesforce CRM used for Google Ads leads and resulted in the theft of basic business contact details and sales notes for small and mid-sized customers. In total, the attackers managed to exfiltrate over 2.5 million customer records from Google’s Salesforce database.

These Salesforce-linked attacks have been attributed to a threat group known as ShinyHunters, often working in tandem with the Scattered Spider gang. Rather than exploiting a technical vulnerability in Salesforce itself, the attackers relied on social engineering. Reports indicate they used vishing and similar methodology to trick employees into granting access. For example, by convincing staff to approve a malicious OAuth app or divulge MFA codes, thereby opening a backdoor into the company’s Salesforce instance. 

Once inside, the hackers could run API queries to select and export vast amounts of customer data. Workday acknowledged that the stolen contact data, while not including sensitive personal records, could still facilitate dangerous follow-on attacks by giving criminals verified names and contact details to create credible phishing campaigns.

A separate but equally problematic incident unfolded in August 2025 via the Salesloft-Drift integration. In this case, a threat actor (tracked by Google as UNC6395) managed to compromise OAuth authentication tokens for Drift – a conversational sales chatbot integrated with Salesforce and offered by Salesloft. By stealing these tokens (and refresh tokens), the attackers obtained what amounted to valid keys to multiple companies’ Salesforce data. 

This supply-chain style breach had a massive blast radius: security analysts reported that over 700 organizations, including well-defended tech and cybersecurity firms, had their Salesforce instances quietly accessed through the compromised Drift integration. Even industry leaders like Palo Alto Networks, Zscaler, Cloudflare, Proofpoint, Qualys, and Tenable confirmed that their Salesforce data was impacted by this single integration’s compromise.

With a legitimate OAuth token in hand, the attackers were able to siphon data directly via the Salesforce API without needing to phish individual users. Google’s investigation found that UNC6395 systematically exported large volumes of records and then searched the stolen data for sensitive secrets such as Amazon Web Services keys, passwords, and other credentials. 

The CRM data itself was a means to an end. The attackers combed through it for nuggets that could enable deeper compromises in the victims’ environments. The intruders showed discipline by deleting their query logs to cover their tracks (so that it would be harder for victims to spot unusual data requests). 

Ultimately, the breach was uncovered, and emergency measures were taken. On August 20, Salesforce and Salesloft revoked all access tokens for the Drift app and pulled the integration off the Salesforce AppExchange marketplace. Salesloft also engaged incident responders to investigate and assist affected customers.

As seen above, the two breaches played out differently, but the end result was the same: attackers walked away with valuable data by exploiting trust in platforms and integrations. Because of this, there are several clear takeaways for security leaders:

1. Third-Party Platforms As Targets
   Business SaaS platforms (like Salesforce) and their connected apps have become prime targets. Attackers realize they can hit one soft spot to breach many. A single integration’s compromise can impact hundreds of companies in one stroke. Organizations need to start recognizing that SaaS vendors and plugins are part of their attack surface and apply the same scrutiny to them as to in-house systems. In effect, your security is only as strong as that of your weakest partner or integration.
2. Social Engineering Over Malware
   Neither attack relied on malware or a zero-day exploit. The Google and Workday breaches were enabled through social engineering, exploiting human trust to gain credentials or app access, while the Salesloft-Drift hack abused stolen tokens from a trusted service. This reflects a broader trend: threat actors prefer abusing identity and trust (OAuth tokens, login credentials, support impersonation) rather than hacking through technical defenses. Enterprises should consider investing in security awareness training so employees can spot phishing attempts and unusual app consent requests.
3. Data Exfiltration Is The Goal
   In both cases the attackers’ goal was mass data exfiltration. CRM databases hold troves of sensitive customer and prospect data, which can be monetized or leveraged in further attacks. Stolen contact information might seem benign, but it can seriously enhance the credibility of future phishing or fraud attempts against those individuals and organizations. As seen in the Salesloft incident, attackers will mine exported data for passwords, API keys, and other keys to the kingdom to pivot elsewhere. This elevates the impact beyond just the initial data loss.
4. Improve SaaS Security Posture
   Companies need to enforce multi-factor authentication (MFA) and identity verification for any access to SaaS admin accounts. All third-party app integrations should be audited and minimally scoped, only granting the permissions absolutely required. Regularly review and revoke unused OAuth tokens or apps and rotate integration credentials on a schedule. Implement IP allowlisting and anomaly detection for data access: for example, flag if a service account suddenly exports a vast number of records at an odd time.
5. Monitor For Exfiltration
   Organizations should think about deploying tools and processes to catch abnormal data exfiltration. Traditional perimeter defenses may not catch large downloads through an approved channel. Solutions that focus on preventing unauthorized data outflows (for instance, monitoring SaaS APIs or using anti data exfiltration technology) can provide an extra line of defense by blocking or alerting on unusual data transfers in real-time. Proactive measures here can mean the difference between a contained incident and a headline-grabbing breach.

Both the Google/Workday and Salesloft breaches were different in how attackers got in. One relied on social engineering, the other used stolen OAuth tokens. But they shared the same endgame: data exfiltration at scale. Whether it’s records pulled from a CRM, credentials buried in case logs, or customer lists exported via APIs, attackers make their money by getting data out.

This is why protection at the endpoint also remains valuable.

Even if attackers succeed in breaching SaaS platforms, they often pivot to devices to download, sync, or stage the data they have stolen. BlackFog ADX provides a last line of defense by blocking unauthorized data exfiltration attempts from device endpoints. By cutting off one of the most common paths attackers use to turn access into loss, organizations can reduce the impact of a breach.

Click here to get in touch with us and find out how we can help.