<p>Additional information has surfaced and new victims have come forward in the Salesloft Drift breach, which has affected more than 700 organizations globally.</p><div class="ad-wrapper ad-embedded"> <div id="halfpage" class="ad ad-hp"> <script>GPT.display('halfpage')</script> </div> <div id="mu-1" class="ad ad-mu"> <script>GPT.display('mu-1')</script> </div> </div> <p>Salesloft and Salesforce announced on August 20 that they had revoked connections between Drift, an AI chatbot for sales and marketing teams, and the Salesforce CRM after detecting a security issue in the Drift application. On August 26, the companies announced that a threat actor used compromised credentials linked to the chatbot to gain unauthorized access to Salesforce instances between August 8 and 18, though new information has revealed the threat actor gained access to Salesloft's GitHub repositories months prior.</p> <p>Read a timeline of the attack and its fallout below.</p> <p>The breach highlights the importance of <a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-effective-third-party-risk-assessment-framework">third-party risk management</a>, <a href="https://www.techtarget.com/searchsecurity/tip/Why-fourth-party-risk-management-is-a-must-have/">fourth-party risk management</a> and supply chain security, especially in <a href="https://www.techtarget.com/searchsecurity/tip/How-to-manage-third-party-risk-in-the-cloud">SaaS environments</a>, as well as strong authentication, including token security, <a href="https://www.techtarget.com/searchsecurity/definition/privileged-access-management-PAM">privileged access controls</a> and strong <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response procedures</a>.</p> <section class="section main-article-chapter" data-menu-title="Google warns of credential theft campaign targeting Salesforce users"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Google warns of credential theft campaign targeting Salesforce users</h2> <p>Google's Threat Intelligence Group reported that threat actor UNC6395 was targeting organizations using compromised OAuth tokens associated with Salesloft Drift.</p> <p>Attackers used a Python tool to automate data theft from Salesforce instances between August 8 and 18, searching for sensitive credentials, including AWS access keys and Snowflake tokens.</p> <p>Salesloft and Salesforce revoked the compromised tokens, and Salesforce removed Drift from its AppExchange marketplace. Google later warned that the compromise extended beyond Salesforce integrations, potentially affecting all authentication tokens connected to the Drift platform, including "Drift Email" integration tokens.</p> <p><a href="https://www.cybersecuritydive.com/news/hackers-steal-data-salesforce-instances/758676/" target="_blank" rel="noopener"><i>Read the full story published Aug. 26 by David Jones on Cybersecurity Dive</i></a><i>.</i></p></section> <section class="section main-article-chapter" data-menu-title="Palo Alto Networks and Zscaler affected by attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Palo Alto Networks and Zscaler affected by attacks</h2> <p>Palo Alto Networks confirmed it was impacted by the Salesloft Drift supply chain incident that compromised customer Salesforce data, primarily affecting business contact information and sales account data. The company contained the breach by disabling the application from its Salesforce environment and confirmed it had no impact on its products or services.</p> <p>Zscaler reported a similar breach affecting business contact data, including names, business email addresses, phone numbers and Zscaler product licensing information. It also confirmed the breach did not affect its products or services.</p> <p><a href="https://www.cybersecuritydive.com/news/palo-alto-networks-zscaler-supply-chain-attacks/758990/" target="_blank" rel="noopener"><i>Read the full story published Sept. 2 by David Jones on Cybersecurity Dive</i></a><i>.</i></p></section> <section class="section main-article-chapter" data-menu-title="Cloudflare and Proofpoint join list of victims"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloudflare and Proofpoint join list of victims</h2> <p>Cloudflare and Proofpoint disclosed they were victims of the August 2025 Salesloft Drift attacks.</p> <p>Between August 9 and 17, attackers accessed Cloudflare's Salesforce support cases containing customer contact information and correspondence, compromising 104 API tokens, which were subsequently rotated. Cloudflare took responsibility despite being part of a larger attack, writing in a company blog post, "We are responsible for the tools we use."</p> <p>Both companies disabled Drift integration and confirmed there was no impact to their core services, infrastructure or customer-protected data.</p> <p><a href="https://www.cybersecuritydive.com/news/cloudflare-proofpoint-hackers-salesforce-instances/759126/" target="_blank" rel="noopener"><i>Read the full story published Sept. 3 by David Jones on Cybersecurity Dive</i></a><i>.</i></p></section> <section class="section main-article-chapter" data-menu-title="Severity of supply chain attack unclear"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Severity of supply chain attack unclear</h2> <p>The Salesloft Drift attacks continue to expand as numerous cybersecurity companies report compromises, with Tenable joining the list of vendors.</p> <p>Okta reported that it successfully prevented compromise through IP restrictions and security frameworks, including <a href="https://oauth.net/ipsie/" target="_blank" rel="noopener">IPSIE</a>.</p> <p>Security experts have warned that stolen OAuth tokens are particularly dangerous because they enable attackers to access systems without triggering typical security alerts.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/salesloft-drift-attacks-blast-radius-uncertain" target="_blank" rel="noopener"><i>Read the full story published Sept. 4 by Alexander Culafi on Dark Reading</i></a><i>.</i></p></section> <section class="section main-article-chapter" data-menu-title="GitHub compromise revealed as source"> <h2 class="section-title"><i class="icon" data-icon="1"></i>GitHub compromise revealed as source</h2> <p>Mandiant's investigation revealed that threat actor UNC6395's attack on hundreds of Salesforce instances began with a compromise of Salesloft's GitHub account as early as March 2025.</p> <p>Between March and June, attackers downloaded repository data and conducted reconnaissance before accessing Drift's AWS environment. There, they stole OAuth tokens for various technology integrations beyond just Salesforce.</p> <p>Additional Salesloft Drift breach victims include Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks and BugCrowd.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/salesloft-breached-github-account-compromise" target="_blank" rel="noopener"><i>Read the full story published Sept. 8 by Rob Wright on Dark Reading</i></a><i>.</i></p></section> <section class="section main-article-chapter" data-menu-title="Salesforce restores Salesloft integration, keeps Drift disabled"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Salesforce restores Salesloft integration, keeps Drift disabled</h2> <p>Salesforce has restored integration with the Salesloft platform following Mandiant's investigation into the attack, but the Drift component remains disabled until further notice.</p> <p><a href="https://www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/" target="_blank" rel="noopener"><i>Read the full story published Sept. 8 by David Jones on Cybersecurity Dive</i></a><i>.</i></p> <p><b>Editor's note:</b> <i>An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p></section>
