Extra data has surfaced and new victims have come ahead within the Salesloft Drift breach, which has affected greater than 700 organizations globally.
Salesloft and Salesforce introduced on August 20 that that they had revoked connections between Drift, an AI chatbot for gross sales and advertising groups, and the Salesforce CRM after detecting a safety concern within the Drift utility. On August 26, the businesses introduced {that a} risk actor used compromised credentials linked to the chatbot to realize unauthorized entry to Salesforce cases between August 8 and 18, although new data has revealed the risk actor gained entry to Salesloft’s GitHub repositories months prior.
Learn a timeline of the assault and its fallout under.
The breach highlights the significance of third-party threat administration, fourth-party threat administration and provide chain safety, particularly in SaaS environments, in addition to robust authentication, together with token safety, privileged entry controls and robust incident response procedures.
Google warns of credential theft marketing campaign concentrating on Salesforce customers
Google’s Risk Intelligence Group reported that risk actor UNC6395 was concentrating on organizations utilizing compromised OAuth tokens related to Salesloft Drift.
Attackers used a Python instrument to automate information theft from Salesforce cases between August 8 and 18, trying to find delicate credentials, together with AWS entry keys and Snowflake tokens.
Salesloft and Salesforce revoked the compromised tokens, and Salesforce eliminated Drift from its AppExchange market. Google later warned that the compromise prolonged past Salesforce integrations, probably affecting all authentication tokens linked to the Drift platform, together with “Drift E mail” integration tokens.
Learn the total story revealed Aug. 26 by David Jones on Cybersecurity Dive.
Palo Alto Networks and Zscaler affected by assaults
Palo Alto Networks confirmed it was impacted by the Salesloft Drift provide chain incident that compromised buyer Salesforce information, primarily affecting enterprise contact data and gross sales account information. The corporate contained the breach by disabling the appliance from its Salesforce atmosphere and confirmed it had no affect on its services or products.
Zscaler reported the same breach affecting enterprise contact information, together with names, enterprise electronic mail addresses, telephone numbers and Zscaler product licensing data. It additionally confirmed the breach didn’t have an effect on its services or products.
Learn the total story revealed Sept. 2 by David Jones on Cybersecurity Dive.
Cloudflare and Proofpoint be a part of checklist of victims
Cloudflare and Proofpoint disclosed they had been victims of the August 2025 Salesloft Drift assaults.
Between August 9 and 17, attackers accessed Cloudflare’s Salesforce assist instances containing buyer contact data and correspondence, compromising 104 API tokens, which had been subsequently rotated. Cloudflare took duty regardless of being half of a bigger assault, writing in an organization weblog publish, “We’re accountable for the instruments we use.”
Each firms disabled Drift integration and confirmed there was no affect to their core companies, infrastructure or customer-protected information.
Learn the total story revealed Sept. 3 by David Jones on Cybersecurity Dive.
Severity of provide chain assault unclear
The Salesloft Drift assaults proceed to develop as quite a few cybersecurity firms report compromises, with Tenable becoming a member of the checklist of distributors.
Okta reported that it efficiently prevented compromise by way of IP restrictions and safety frameworks, together with IPSIE.
Safety specialists have warned that stolen OAuth tokens are significantly harmful as a result of they permit attackers to entry techniques with out triggering typical safety alerts.
Learn the total story revealed Sept. 4 by Alexander Culafi on Darkish Studying.
GitHub compromise revealed as supply
Mandiant’s investigation revealed that risk actor UNC6395’s assault on lots of of Salesforce cases started with a compromise of Salesloft’s GitHub account as early as March 2025.
Between March and June, attackers downloaded repository information and performed reconnaissance earlier than accessing Drift’s AWS atmosphere. There, they stole OAuth tokens for varied know-how integrations past simply Salesforce.
Extra Salesloft Drift breach victims embrace Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks and BugCrowd.
Learn the total story revealed Sept. 8 by Rob Wright on Darkish Studying.
Salesforce restores Salesloft integration, retains Drift disabled
Salesforce has restored integration with the Salesloft platform following Mandiant’s investigation into the assault, however the Drift element stays disabled till additional discover.
Learn the total story revealed Sept. 8 by David Jones on Cybersecurity Dive.
Editor’s observe: An editor used AI instruments to assist within the technology of this information transient. Our knowledgeable editors at all times assessment and edit content material earlier than publishing.
Sharon Shea is govt editor of Informa TechTarget’s SearchSecurity web site.
