Further info has surfaced and new victims have come ahead within the Salesloft Drift breach, which has affected greater than 700 organizations globally.
Salesloft and Salesforce introduced on August 20 that that they had revoked connections between Drift, an AI chatbot for gross sales and advertising and marketing groups, and the Salesforce CRM after detecting a safety difficulty within the Drift software. On August 26, the businesses introduced {that a} menace actor used compromised credentials linked to the chatbot to achieve unauthorized entry to Salesforce cases between August 8 and 18, although new info has revealed the menace actor gained entry to Salesloft’s GitHub repositories months prior.
Learn a timeline of the assault and its fallout under.
The breach highlights the significance of third-party danger administration, fourth-party danger administration and provide chain safety, particularly in SaaS environments, in addition to robust authentication, together with token safety, privileged entry controls and powerful incident response procedures.
Google warns of credential theft marketing campaign concentrating on Salesforce customers
Google’s Menace Intelligence Group reported that menace actor UNC6395 was concentrating on organizations utilizing compromised OAuth tokens related to Salesloft Drift.
Attackers used a Python instrument to automate information theft from Salesforce cases between August 8 and 18, trying to find delicate credentials, together with AWS entry keys and Snowflake tokens.
Salesloft and Salesforce revoked the compromised tokens, and Salesforce eliminated Drift from its AppExchange market. Google later warned that the compromise prolonged past Salesforce integrations, probably affecting all authentication tokens related to the Drift platform, together with “Drift E mail” integration tokens.
Learn the total story printed Aug. 26 by David Jones on Cybersecurity Dive.
Palo Alto Networks and Zscaler affected by assaults
Palo Alto Networks confirmed it was impacted by the Salesloft Drift provide chain incident that compromised buyer Salesforce information, primarily affecting enterprise contact info and gross sales account information. The corporate contained the breach by disabling the appliance from its Salesforce atmosphere and confirmed it had no impression on its services or products.
Zscaler reported an analogous breach affecting enterprise contact information, together with names, enterprise electronic mail addresses, telephone numbers and Zscaler product licensing info. It additionally confirmed the breach didn’t have an effect on its services or products.
Learn the total story printed Sept. 2 by David Jones on Cybersecurity Dive.
Cloudflare and Proofpoint be part of record of victims
Cloudflare and Proofpoint disclosed they had been victims of the August 2025 Salesloft Drift assaults.
Between August 9 and 17, attackers accessed Cloudflare’s Salesforce assist instances containing buyer contact info and correspondence, compromising 104 API tokens, which had been subsequently rotated. Cloudflare took accountability regardless of being half of a bigger assault, writing in an organization weblog put up, “We’re chargeable for the instruments we use.”
Each firms disabled Drift integration and confirmed there was no impression to their core providers, infrastructure or customer-protected information.
Learn the total story printed Sept. 3 by David Jones on Cybersecurity Dive.
Severity of provide chain assault unclear
The Salesloft Drift assaults proceed to broaden as quite a few cybersecurity firms report compromises, with Tenable becoming a member of the record of distributors.
Okta reported that it efficiently prevented compromise by way of IP restrictions and safety frameworks, together with IPSIE.
Safety specialists have warned that stolen OAuth tokens are significantly harmful as a result of they allow attackers to entry methods with out triggering typical safety alerts.
Learn the total story printed Sept. 4 by Alexander Culafi on Darkish Studying.
GitHub compromise revealed as supply
Mandiant’s investigation revealed that menace actor UNC6395’s assault on tons of of Salesforce cases started with a compromise of Salesloft’s GitHub account as early as March 2025.
Between March and June, attackers downloaded repository information and performed reconnaissance earlier than accessing Drift’s AWS atmosphere. There, they stole OAuth tokens for varied expertise integrations past simply Salesforce.
Further Salesloft Drift breach victims embody Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks and BugCrowd.
Learn the total story printed Sept. 8 by Rob Wright on Darkish Studying.
Salesforce restores Salesloft integration, retains Drift disabled
Salesforce has restored integration with the Salesloft platform following Mandiant’s investigation into the assault, however the Drift element stays disabled till additional discover.
Learn the total story printed Sept. 8 by David Jones on Cybersecurity Dive.
Editor’s notice: An editor used AI instruments to assist within the era of this information transient. Our knowledgeable editors at all times overview and edit content material earlier than publishing.
Sharon Shea is government editor of Informa TechTarget’s SearchSecurity web site.
