In a significant cybersecurity incident, over 700 organizations, including prominent cybersecurity firms, have been affected by a sophisticated supply-chain attack. This breach has been traced back to a compromise of Salesloft’s GitHub account, which began as early as March 2025. The attackers exploited this initial access to steal OAuth authentication tokens from Salesloft’s Drift chat platform, leading to extensive data theft from customer systems.
Initial Breach and Attack Progression
The investigation, initiated on August 28, 2025, revealed that threat actors had unauthorized access to Salesloft’s GitHub account from March through June 2025. During this period, the attackers downloaded content from private repositories, added a guest user, and established workflows while conducting reconnaissance on both the Salesloft and Drift application environments. Although the core Salesloft platform remained uncompromised, the attackers pivoted to Drift’s AWS environment, where they successfully obtained OAuth tokens for customer technology integrations.
Exploitation of OAuth Tokens
Identified by Google’s Threat Intelligence Group as UNC6395, the threat actors utilized the stolen OAuth tokens between August 8 and August 18, 2025, to access and exfiltrate data from customers’ integrated applications, most notably Salesforce instances. The exfiltrated data primarily included business contact information such as names, email addresses, and job titles, as well as content from support cases. High-profile companies affected by this breach include Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and SpyCloud.
Impact on Major Organizations
– Cloudflare: While Cloudflare’s core infrastructure remained secure, the breach involved access to customer contact details and basic support case data. Some support tickets may have included sensitive customer information such as logs, tokens, and passwords. Upon investigation, Cloudflare discovered 104 exposed API tokens, which were not misused but were rotated as a precaution. The company has alerted affected customers and recommended rotating any credentials shared through its support system, emphasizing the risk of potential exploitation by attackers. ([techradar.com](https://www.techradar.com/pro/security/even-cloudflare-isnt-safe-from-salesloft-drift-data-breaches?utm_source=openai))
– Zscaler: Zscaler confirmed a data breach resulting from the compromise of Salesloft’s AI-driven chat platform, Drift. The attack exploited Drift’s integration with Salesforce, allowing attackers to steal OAuth and refresh tokens and access sensitive customer information belonging to Zscaler. Although Zscaler’s own systems and infrastructure were not directly affected, the compromised data included names, business email addresses, job titles, phone numbers, regional data, product licensing, commercial details, and certain support case content. Zscaler responded by revoking all Drift integrations, rotating API tokens, and launching a detailed investigation. The company emphasizes that there is no current evidence of the data being misused but advises users to be cautious of phishing and social engineering threats. ([techradar.com](https://www.techradar.com/pro/security/zscaler-says-it-suffered-data-breach-following-salesloft-drift-compromise?utm_source=openai))
– Palo Alto Networks: The company confirmed the compromise of business contacts, internal sales records, and support case data, although its core systems and services remained unaffected. Palo Alto Networks has since disabled the affected app and is notifying impacted customers. ([techradar.com](https://www.techradar.com/pro/security/palo-alto-networks-becomes-the-latest-to-confirm-it-was-hit-by-salesloft-drift-attack?utm_source=openai))
Response and Mitigation Efforts
In response to the attack, Salesloft engaged cybersecurity firm Mandiant and took decisive action to contain the threat. The company took the Drift platform completely offline, isolated its infrastructure, and rotated all impacted credentials. Mandiant has since verified that the incident is contained and that the technical segmentation between the Salesloft and Drift environments prevented the attackers from moving laterally. The focus of the investigation has now shifted to a forensic quality assurance review.
Salesloft has issued guidance to its partners, recommending that all third-party applications integrated with Drift via API key proactively revoke the existing key. The company also published a list of Indicators of Compromise (IOCs), including malicious IP addresses and user-agent strings, to help customers search their own logs for suspicious activity.
Indicators of Compromise (IOCs):
– Malicious IP Addresses: Any successfully authenticated Drift connections from IPs not on Drift’s official whitelist should be considered suspicious. The following IPs are confirmed as malicious:
– 154.41.95.2
– 176.65.149.100
– 179.43.159.198
– 185.130.47.58
– 185.207.107.130
– 185.220.101.133
– 185.220.101.143
– 185.220.101.164
– 185.220.101.167
– 185.220.101.169
– 185.220.101.180
– 185.220.101.185
– 185.220.101.33
– 192.42.116.179
– 192.42.116.20
– 194.15.36.117
– 195.47.238.178
– 195.47.238.83
– 208.68.36.90
– 44.215.108.109
– Malicious User-Agent Strings: The following user-agent strings have been associated with the threat actor’s activity:
– `python-requests/2.32.4`
– `Salesforce-Multi-Org-Fetcher/1.0`
– `Python/3.11 aiohttp/3.12.15`
Attribution and Claims of Responsibility
While a group called “Scattered LAPSUS$ Hunters 4.0” claimed responsibility for the attack, investigators have not found credible evidence to support this claim. The incident underscores the critical need for organizations to scrutinize third-party integrations and implement robust security measures to safeguard against supply-chain attacks.
Recommendations for Organizations
This incident highlights the critical need for heightened vigilance in securing SaaS applications and other third-party integrations. The data compromised across hundreds of companies targeted in this attack could be used to launch additional attacks. Organizations are strongly urged to adopt the following security measures:
– Disconnect Salesloft and its applications: Immediately disconnect all Salesloft connections from your Salesforce environment and uninstall any related software or browser extensions.
– Rotate credentials: Reset the credentials for all third-party applications and integrations connected to your Salesforce instance. Rotate any credentials that may have been previously shared in a support case to Cloudflare. Based on the scope and intent of this attack, it is also recommended to rotate all third-party credentials in your environment as well as any credentials that may have been included in a support case with any other vendor.
– Implement frequent credential rotation: Establish a regular rotation schedule for all API keys and other secrets used in your integrations to reduce the window of exposure.
Conclusion
The Salesloft Drift cyberattack serves as a stark reminder of the vulnerabilities inherent in third-party integrations and the importance of proactive security measures. Organizations must remain vigilant, continuously monitor their systems, and implement robust security protocols to mitigate the risks associated with supply-chain attacks.
