Examination Continues following Data Breach at Salesloft
Security researchers are continuing to investigate a recent data breach impacting Salesloft, an AI chatbot maker.The incident has spurred claims of responsibility from various online groups, complicating attribution efforts.
The breach, first reported on August 27th, involved the compromise of Salesloft Drift authentication tokens. Salesloft has engaged Mandiant,Google Cloud’s incident response division,to determine the root cause of the incident. Mandiant Consulting CTO Charles Carmakal stated, “We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” adding that further details would be released in the days following the initial announcement.
Several groups have claimed responsibility for the attack. A Telegram channel calling itself “Scattered LAPSUS$ Hunters 4.0,” launched on August 28th, has amassed nearly 40,000 subscribers and repeatedly asserted involvement in the Salesloft hack, but has yet to provide supporting evidence. This group is also attempting to garner media attention by issuing threats to security researchers at Google and other companies, and is promoting a new cybercrime forum called “Breachstars,” promising to host stolen data from companies that refuse to pay ransom demands.
However, Austin Larsen, a principal threat analyst at Google’s threat intelligence group, believes there is currently no concrete evidence linking the Salesloft activity to known groups like ShinyHunters. “Their understanding of the incident seems to come from public reporting alone,” Larsen told KrebsOnSecurity, referring to the active members of the Telegram channel.
The success of attacks like this is frequently enough facilitated by what joshua wright, a senior technical director at Counter hack, terms “authorization sprawl.” Wright, who coined the phrase, explains that attackers exploit legitimate user access tokens to navigate between on-premises and cloud systems. He notes that this tactic often goes undetected because attackers operate within the existing permissions granted to the compromised user.”Instead of the conventional chain of initial access, privilege escalation and endpoint bypass, these threat actors are using centralized identity platforms that offer single sign-on (SSO) and integrated authentication and authorization schemes,” Wright wrote in a June 2025 article for TechTarget. “Rather than creating custom malware, attackers use the resources already available to them as authorized users.”
The investigation into how the attackers obtained the Salesloft Drift authentication tokens is ongoing. The potential connection between this incident and the activities of groups like Scattered Spider and ShinyHunters remains under scrutiny, with analysts suggesting a possible overlap between these entities.
