Salesloft Drift Breach: Everything You Need to Know

[Update] September 8, 2025: “Salesloft’s Official Update: GitHub Breach Led to Drift Token Theft”

In August 2025, Salesloft’s Drift chatbot service became the conduit for one of the largest SaaS supply-chain breaches to date. Drift, acquired by Salesloft in 2024, integrates with customer systems such as Salesforce, Slack, and Google Workspace via OAuth tokens. Threat actors exploited this integration to steal authentication tokens and gain access to customer environments.

More than 700 organizations were affected, including high-profile technology and security vendors such as Cloudflare, Zscaler, Palo Alto Networks, and PagerDuty. Investigators describe the incident as a “widespread supply-chain attack spree” targeting one of the most widely used SaaS integrations.

1. What is the Salesloft Drift Supply Chain Security Incident?

The campaign began in early August 2025, when the threat actor UNC6395 (“GRUB1”) gained unauthorized access to tokens issued by the Drift chatbot. These OAuth tokens allowed Drift to connect with customer systems on their behalf, most notably Salesforce. By stealing them, the attackers effectively inherited the same trusted access, bypassing traditional defenses.

Using the tokens, the adversary systematically queried Salesforce environments between August 8 and 18. They performed reconnaissance by counting records, mapped object structures, and then executed bulk exports of sensitive data. The information exfiltrated included customer contacts, support case content, account records, and potentially embedded secrets such as API keys or cloud credentials. Cloudflare’s logs, for example, showed 104 internal tokens exposed through support case notes.

Initially, the breach was believed to be confined to Salesforce. On August 20, Salesloft revoked all active Drift tokens in coordination with Salesforce and removed the app from the Salesforce marketplace. However, on August 28, Google Threat Intelligence Group (GTIG) disclosed that the compromise was not limited to Salesforce. Tokens for other Drift integrations—including Google Workspace (“Drift Email”), Slack, and cloud storage—were also stolen. In one confirmed case, a Drift token was used on August 9 to access a small number of Gmail accounts integrated with Drift.

2. How Did the Attackers Get into the System?

The attackers, tracked as UNC6395 by Google’s Threat Intelligence Group (GTIG) and Mandiant, used compromised OAuth tokens from the Salesloft Drift application. These tokens allowed them to access Salesforce instances without exploiting any vulnerabilities in Salesforce’s platform itself. The attack relied on:

• OAuth Token Abuse: The hackers obtained valid OAuth credentials, likely through phishing or social engineering, to authenticate as legitimate users of the Drift integration.
• Python Automation: They used a Python tool with asynchronous libraries (like aiohttp) and Salesforce’s Bulk API to rapidly extract large volumes of data, such as Accounts, Contacts, Cases, and Opportunities.
• Anti-Forensics Techniques: The attackers deleted query jobs to cover their tracks, though logs remained intact for detection.

No Salesforce system vulnerabilities were exploited; the attack hinged on compromised third-party credentials and trusted integrations.

Salesloft’s Official Update: GitHub Breach Led to Drift Token Theft

On September 7, Salesloft confirmed through its investigation with Mandiant that, between March and June 2025, attackers gained access to the company’s GitHub account, downloaded repositories, and created a guest user. The threat actor later pivoted into Drift’s AWS environment, where they obtained OAuth tokens tied to customer integrations. These stolen tokens were then used to access customer Salesforce data.

In response, Salesloft took the Drift application offline, rotated credentials, and performed extensive threat hunting. Mandiant validated that the Salesloft and Drift environments were technically segmented, and that the breach had been contained. The investigation has now moved into a forensic assurance phase.

Salesloft also announced that its integration with Salesforce has been restored. Customer Success teams will work with affected organizations to reconcile data and re-enable sync functionality safely.

3. What are the technical reasons behind the Salesloft Drift Breach?

The Salesloft Drift Breach was not caused by a vulnerability in Salesforce itself but by weaknesses in how the Drift chatbot managed third-party integrations and credentials. Several technical issues converged to create the attack path:

• Compromised OAuth Tokens: The threat actor obtained valid Drift-issued OAuth tokens, likely through social engineering, phishing, or flaws in Drift’s OAuth integration flow. These tokens granted legitimate access to customer systems without triggering additional authentication.

• Lack of Robust Access Controls: Many organizations had granted the Drift app overly broad permissions in Salesforce and other services. This excessive access allowed the adversary to query entire datasets instead of being limited to specific functions.

• Supply Chain Vulnerability: The attack exploited inherent trust in the Drift application. Because Drift was an approved third-party integration, activity performed with its tokens appeared legitimate and bypassed normal security checks.

• Python Automation: The threat actor automated data theft using Python with asynchronous libraries such as aiohttp and Salesforce’s Bulk API, enabling rapid exfiltration of large datasets like Accounts, Contacts, Cases, and Opportunities.

• Anti-Forensics: After bulk exports, the adversary deleted query jobs to conceal activity. Although this removed immediate traces, Salesforce’s event logs still revealed what had been accessed.

• Delayed Detection: The compromise remained active between August 8 and August 18, 2025 before being noticed. The delay highlighted gaps in real-time monitoring of third-party integrations and insufficient anomaly detection.

In summary, the breach stemmed from weak credential management, over-permissive integrations, and lack of monitoring, rather than a direct exploit of Salesforce. It highlights how interconnected SaaS ecosystems can turn a trusted integration into a supply-chain vulnerability.

4. What type of information was exposed in the Salesloft Drift Breach?

The Salesloft Drift Breach primarily exposed data from customer Salesforce environments, though other connected integrations such as Google Workspace, Slack, and cloud storage platforms were also affected. The scope and sensitivity of the data varied across organizations, but common categories included:

• Customer Data: Names, email addresses, phone numbers, and contact notes. For many companies, this represented business contact information for small, medium, and enterprise customers.
• Credentials and Secrets: Sensitive credentials embedded within Salesforce support cases, including AWS keys, Snowflake tokens, passwords, and API keys. These secrets provided opportunities for deeper compromises beyond the initial incident.
• Business Records: Data from core Salesforce objects such as Accounts, Contacts, Cases, and Opportunities. This information revealed details about sales pipelines, customer interactions, support history, and potentially proprietary business strategies.
• Support Case Content: Descriptions, troubleshooting notes, and logs provided by customers. In some cases, these included sensitive configuration details or authentication information that should not have been stored in plain text.

The data exfiltrated in the Salesloft Drift Breach is highly valuable for follow-on attacks, including phishing campaigns, credential stuffing, and secondary supply chain compromises aimed at downstream partners and customers.

5. How Many Organizations Were Affected by the Salesloft Drift Breach?

Investigators estimate that the breach affected more than 700 organizations worldwide. These victims span multiple sectors, including cloud computing, cybersecurity, SaaS providers, and enterprise technology. The scope makes this one of the largest SaaS supply-chain breaches in recent years.

Several high-profile organizations have publicly confirmed exposure through their Salesforce or other Drift integrations:

• Zscaler – Reported that a significant portion of its customer records were taken, including names, business email addresses, job titles, phone numbers, region, and support case information.
• Cloudflare – Attackers accessed support case records and extracted customer contact details as well as API tokens that had been shared in case text. Cloudflare identified and rotated 104 internal tokens that were exposed.
• Palo Alto Networks – Confirmed exposure of Salesforce CRM data such as sales account records, customer contact information, and some sensitive support case content.
• PagerDuty – Notified customers that names, email addresses, and phone numbers stored in Salesforce could have been accessed.
• SpyCloud – Disclosed that data from its Salesforce instance was exposed, even though it was no longer an active Drift customer at the time of the attack.
• Google – A small number of Gmail accounts tied to the “Drift Email” integration were accessed on August 9. Google quickly revoked the affected tokens and disabled the integration.
• Tanium – Reported that attackers gained limited access to Salesforce data, including names, business emails, phone numbers, and location details. Tanium emphasized that no access occurred to its core platform or internal systems.
• Tenable – Confirmed exposure of limited Salesforce data, including support case subject lines, descriptions, and business contact details (names, emails, phone numbers, regional info). Stated there is no evidence of misuse and clarified Tenable products and internal systems were unaffected.
• Proofpoint – Confirmed that an unauthorized actor accessed its Salesforce tenant via the compromised Drift integration. Stated there is no evidence of impact to Proofpoint’s products, services, protected customer data, or internal systems. Disconnected Drift and continues to investigate with Salesforce and Salesloft.
• Rubrik – Notified by Salesforce on Aug 22 of suspicious Drift activity suggesting unauthorized access to its Salesforce instance. Stated there is no evidence of impact to Rubrik’s products, secured customer data, or internal network. Disabled Drift integration, engaged third-party experts, and continues to investigate possible exposure of Salesforce records.
• BeyondTrust – Confirmed limited access to its Salesforce data through Drift. Potentially exposed information included business contact details; no evidence of misuse and no impact to internal systems or products.
• Bugcrowd – Stated that an unauthorized actor accessed its Salesforce instance via Drift. Investigation ongoing. No evidence of impact to the Bugcrowd Platform, customer vulnerability data, payment details, or internal systems.
• JFrog – Reported that Salesforce support case data may have been exposed, including contact info and in some cases plain text secrets shared in case descriptions (but not files/attachments). No impact to JFrog Platform or products.
• CyberArk – Confirmed Salesforce CRM data was accessed, including business contact information and metadata. Clarified that no customer data such as credentials, API keys, or files was affected. Products and services remain unaffected.
• Esker – Reported that attackers accessed Salesforce records via stolen OAuth tokens, potentially including names, job titles, emails, phone numbers, and support ticket text. No evidence of misuse and no impact on other Esker systems.
• Black Duck – Concluded that queries were executed against its Salesforce instance and data was likely exfiltrated, including names, emails, job titles, phone numbers, regional details, service data, and support case content (but not files/attachments).

6. How to Determine if Your Company Was Affected

If your organization used the Salesloft Drift integration with Salesforce or other platforms, you should assume possible exposure. Here are the key steps to check:

• Review Notifications: Look for emails or advisories from Salesforce or Salesloft sent after August 20, 2025.
• Audit Logs: In Salesforce, review login history and Event Monitoring logs for unusual activity between August 8 and August 18, 2025. Pay attention to unexpected bulk data exports, strange IP addresses, or Drift-related app activity.
• Check Integrations: Review all Drift connections (Salesforce, Google Workspace, Slack, cloud storage) for any unauthorized access.
• Ask for Support: If unsure, contact Salesforce or Salesloft support for confirmation and remediation guidance.

Until proven otherwise, treat your data as potentially compromised and take action to secure systems and credentials.

7. Who is the threat actor behind this incident?

The Salesloft Drift Breach is attributed to a threat actor tracked as UNC6395 by Google’s Threat Intelligence Group (GTIG) and Mandiant. This cluster is distinct from ShinyHunters (UNC6040), which had been linked to separate Salesforce-related attacks in June 2025.

Profile of UNC6395

• Motivation: Believed to be financially motivated, with a focus on credential harvesting for resale or further exploitation.
• Tactics: Used compromised OAuth tokens to query Salesforce and other integrated systems, systematically extracting sensitive data.
• Operational Security: Attempted to evade detection by staying within API limits and deleting bulk query jobs after execution.

Contrasting Claims

After the incident became public, a Telegram channel calling itself “Scattered LAPSUS$ Hunters 4.0” claimed responsibility. Investigators found no credible evidence supporting this assertion, noting that the channel repeated only information already available through open sources. The reuse of this name is notable, as it matches earlier Telegram groups that were shut down after spreading unverified Salesforce-related breach claims.

For now, the breach remains attributed to UNC6395, with no established links to LAPSUS$, ShinyHunters, or any other recognized threat group.

8. How Does the Salesloft Drift Breach Compare to Other Supply-Chain Attacks?

The Salesloft Drift breach is part of a growing pattern of supply-chain attacks, where adversaries exploit trusted third-party tools to infiltrate many organizations at once. Comparing it to other high-profile cases highlights both similarities and what makes Drift unique:

• SolarWinds (2020): Russian APT Cozy Bear compromised SolarWinds’ Orion updates, infiltrating U.S. government and Fortune 500 firms. Like Drift, attackers leveraged trusted software channels to gain widespread access.
• MOVEit Transfer (2023): The Cl0p ransomware group exploited a zero-day in MOVEit, stealing data from hundreds of organizations. Similar to Drift, a single third-party vendor became the weak link for many victims.
• Snowflake (2024): Hackers used stolen credentials to access Snowflake databases, affecting companies like Ticketmaster. The Drift attack also hinged on credential abuse (OAuth tokens) rather than platform vulnerabilities.
• Salesforce Phishing Campaign (2025): Linked to ShinyHunters (UNC6040), attackers used vishing and malicious apps to capture Salesforce OAuth tokens. They claimed 91 companies were affected, including Adidas, Qantas, and Workday. Like Drift, this incident underscored the risk of compromised SaaS integrations.

9. What steps should CISOs take to mitigate risks from this incident?

To protect your organization and prevent similar incidents:

1. Rotate Credentials: Immediately rotate all credentials potentially exposed in Salesforce, including API keys, OAuth tokens, and passwords for AWS, Snowflake, and other platforms.
2. Review Logs: Conduct a thorough review of Salesforce logs (login history, audit trails, Event Monitoring) for suspicious activity, especially from August 8, 2025, onward.
3. Disable Drift Integration: If you use Drift with Salesforce, re-authenticate the integration after token revocation or consider alternative tools until security is verified.
4. Enhance Monitoring: Implement real-time monitoring for third-party integrations and API activity to detect unauthorized access early.
5. Strengthen Access Controls: Enforce multi-factor authentication (MFA) and least-privilege access for all SaaS integrations.
6. Conduct Supplier Risk Assessments: Evaluate the security posture of third-party vendors like Salesloft to identify supply chain risks.
7. Train Employees: Educate staff on recognizing phishing and social engineering attempts, as these were key to the attack.
8. Engage Incident Response: Work with cybersecurity firms like Mandiant for forensic analysis and remediation if you suspect compromise.

10. Indicators of Compromise (IOCs) Related to Salesloft Drift Breach

Investigators linked the breach to specific User-Agent strings and IP addresses used during data exfiltration. These indicators can help organizations review logs for signs of Drift-related compromise.

Malicious User-Agent Strings

• Salesforce-Multi-Org-Fetcher/1.0
• Salesforce-CLI/1.0
• python-requests/2.32.4
• Python/3.11 aiohttp/3.12.15

Suspicious IP Addresses

• 208[.]68[.]36[.]90 (DigitalOcean)
• 44[.]215[.]108[.]109 (Amazon Web Services)
• 154[.]41[.]95[.]2 (TOR exit node)
• 176[.]65[.]149[.]100 (TOR exit node)
• 179[.]43[.]159[.]198 (TOR exit node)
• 185[.]130[.]47[.]58 (TOR exit node)
• 185[.]207[.]107[.]130 (TOR exit node)
• 185[.]220[.]101[.]133 (TOR exit node)
• 185[.]220[.]101[.]143 (TOR exit node)
• 185[.]220[.]101[.]164 (TOR exit node)
• 185[.]220[.]101[.]167 (TOR exit node)
• 185[.]220[.]101[.]169 (TOR exit node)
• 185[.]220[.]101[.]180 (TOR exit node)
• 185[.]220[.]101[.]185 (TOR exit node)
• 185[.]220[.]101[.]33 (TOR exit node)
• 192[.]42[.]116[.]179 (TOR exit node)
• 192[.]42[.]116[.]20 (TOR exit node)
• 194[.]15[.]36[.]117 (TOR exit node)
• 195[.]47[.]238[.]178 (TOR exit node)
• 195[.]47[.]238[.]83 (TOR exit node)