Recent developments have emerged regarding the Salesloft Drift breach, which has impacted over 700 organizations across the globe. New victims have come forward, adding to the severity of the incident.
On August 20, Salesloft and Salesforce announced they had severed ties between Drift, an AI-powered chatbot for sales and marketing, and the Salesforce CRM after identifying a security vulnerability within the Drift platform. Shortly thereafter, on August 26, the companies disclosed that a cybercriminal exploited compromised credentials linked to Drift to gain unauthorized access to Salesforce accounts from August 8 to 18. Further investigations revealed that access to Salesloft’s GitHub repositories was gained months before this incident.
The breach highlights the urgent need for robust third-party and fourth-party risk management strategies, as well as comprehensive supply chain security, particularly within Software as a Service (SaaS) environments. Organizations are reminded of the necessity for strong authentication methods, such as token security, privileged access controls, and effective incident response frameworks to mitigate similar risks in the future.
Google’s Warning About Targeted Attacks on Salesforce Users
According to Google’s Threat Intelligence Group, threat actor UNC6395 has been targeting organizations using compromised OAuth tokens associated with Salesloft Drift. The attackers employed an automated Python tool to harvest sensitive credentials from Salesforce instances between August 8 and 18, specifically looking for items like AWS access keys and Snowflake tokens.
In response to the breach, Salesloft and Salesforce revoked the affected tokens, and Salesforce removed Drift from its AppExchange marketplace. However, Google later cautioned that the breach could extend beyond Salesforce integrations, potentially compromising all authentication tokens associated with the Drift platform.
Palo Alto Networks and Zscaler Are Among the Victims
Palo Alto Networks has confirmed its involvement in the Salesloft Drift supply chain breach, with customer Salesforce data at risk, especially business contact information and sales account details. The company contained the breach by removing the application from its Salesforce environment while ensuring its products and services remained unaffected.
Zscaler also reported a similar breach impacting business contact information, such as names, email addresses, and phone numbers, alongside product licensing information. The firm reassured stakeholders that its core services were not compromised.
Cloudflare and Proofpoint Affected by Breach
Cloudflare and Proofpoint announced they were victims of the Salesloft Drift attacks. Between August 9 and 17, attackers accessed Salesforce support cases containing customer contact details and communication, compromising 104 API tokens that were subsequently rotated. Despite being part of a larger attack, Cloudflare publicly acknowledged its responsibility, stating in a blog post, “We are responsible for the tools we use.”
Both companies have disabled the Drift integration while confirming there was no impact to customer-protected data or core services.
Evolving Scope of the Supply Chain Attack
The ramifications of the Salesloft Drift attacks continue to unfold, with more cybersecurity companies reporting their involvement. Notably, Tenable has been added to the list of affected vendors.
Okta reported success in preventing any compromise through the implementation of IP restrictions and security frameworks. Security experts caution that stolen OAuth tokens pose a significant threat, granting attackers unauthorized system access without triggering conventional security alerts.
Source of the Compromise Uncovered
Mandiant’s investigation has revealed that the attack by threat actor UNC6395 commenced with a breach of Salesloft’s GitHub account as early as March 2025. Between March and June, attackers downloaded repository data and performed reconnaissance prior to infiltrating Drift’s AWS environment, where they extracted OAuth tokens related to various technology integrations beyond Salesforce.
Additional companies affected by the Salesloft Drift breach include Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd.
Salesforce Policy Update
Following Mandiant’s investigation, Salesforce has re-established integration with the Salesloft platform; however, the Drift component will remain disabled until further notice. The ongoing evaluations aim to ensure comprehensive security before any changes are made.
Editor’s note: While AI tools were utilized to assist in generating this news brief, all content undergoes a thorough review by expert editors prior to publication.
Sharon Shea is the executive editor for Informa TechTarget’s SearchSecurity site.
