In August 2025, a significant cybersecurity incident unfolded, targeting the Salesloft Drift application—a widely used AI-driven chat platform integrated with Salesforce. This breach has had far-reaching consequences, affecting numerous high-profile organizations and exposing sensitive data.
The Breach Unveiled
Between August 8 and August 18, 2025, threat actors exploited vulnerabilities within the Salesloft Drift integration to compromise OAuth tokens. These tokens granted unauthorized access to various Salesforce instances, leading to the exfiltration of critical data. The attackers systematically executed SOQL queries against Salesforce objects such as Accounts, Contacts, Cases, and Opportunities, extracting vast amounts of information. Notably, the attackers also searched for credentials, including AWS access keys and Snowflake tokens, potentially facilitating further intrusions. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/?utm_source=openai))
Impact on Major Organizations
The breach’s ripple effect was felt across several tech giants:
– Palo Alto Networks: The company confirmed unauthorized access to business contacts, internal sales records, and support case data. While core systems remained unaffected, Palo Alto Networks promptly disabled the compromised application and notified impacted customers. ([techradar.com](https://www.techradar.com/pro/security/palo-alto-networks-becomes-the-latest-to-confirm-it-was-hit-by-salesloft-drift-attack?utm_source=openai))
– Zscaler: Zscaler reported that attackers accessed Salesforce-related data, including contact names, email addresses, job titles, phone numbers, product licenses, and support case details. In response, Zscaler revoked Salesloft Drift’s access, rotated API tokens, and enhanced cybersecurity protocols. ([zscaler.com](https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response?utm_source=openai))
– Cloudflare: The breach led to unauthorized access to customer contact details and basic support case data. Cloudflare identified 104 exposed API tokens, which were rotated as a precautionary measure. The company has advised affected customers to rotate any credentials shared through its support system. ([techradar.com](https://www.techradar.com/pro/security/even-cloudflare-isnt-safe-from-salesloft-drift-data-breaches?utm_source=openai))
– Nutanix: Nutanix confirmed that the breach resulted in unauthorized access and export of certain Salesforce support case data related to a subset of their customers. The company disabled the integration, conducted a thorough investigation, and found no evidence of data misuse. ([nutanix.com](https://www.nutanix.com/blog/third-party-salesloft-drift-application-incident-response-our-impact-and-action?utm_source=openai))
– CyberArk: CyberArk acknowledged that the breach allowed unauthorized access to its Salesforce data, including business contact information and account metadata. The company terminated the Salesforce–Drift connection, disabled the Drift application, and rotated all related credentials. ([cyberark.com](https://www.cyberark.com/resources/all-blog-posts/salesloft-drift-incident-overview-and-cyberark-s-response?utm_source=openai))
Attackers and Attribution
The cybercriminal group ShinyHunters claimed responsibility for the attack. However, Google’s Threat Intelligence Group (GTIG) identified a threat actor known as UNC6395 as the perpetrator. The attackers utilized the stolen OAuth tokens to access and exfiltrate data from various Salesforce instances, demonstrating a high level of sophistication. ([arstechnica.com](https://arstechnica.com/security/2025/08/google-warns-that-mass-data-theft-hitting-salesloft-ai-agent-has-grown-bigger/?utm_source=openai))
Salesloft’s Response
Upon discovering the breach, Salesloft took immediate action:
– Revocation of Tokens: Salesloft revoked all active access and refresh tokens for the Drift application, necessitating re-authentication for affected administrators. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/?utm_source=openai))
– Collaboration with Security Experts: The company engaged Mandiant to lead a comprehensive investigation into the incident. Findings revealed that between March and June 2025, attackers accessed Salesloft’s GitHub account, downloading content from multiple repositories and establishing workflows. The attackers then accessed Drift’s AWS environment, obtaining OAuth tokens for Drift customers’ technology integrations. ([databreaches.net](https://databreaches.net/2025/09/07/salesloftdrift-update-on-investigation-results/?utm_source=openai))
– Containment Measures: Salesloft isolated and contained the Drift infrastructure, took the Drift application offline, rotated impacted credentials, and hardened its environment against the known methods used by the threat actor. ([databreaches.net](https://databreaches.net/2025/09/07/salesloftdrift-update-on-investigation-results/?utm_source=openai))
Broader Implications
The incident underscores the vulnerabilities associated with third-party integrations and the potential for supply chain attacks. Organizations are advised to:
– Review Integrations: Assess all third-party applications connected to critical systems.
– Rotate Credentials: Regularly update and rotate API keys, OAuth tokens, and other credentials.
– Monitor Systems: Implement continuous monitoring to detect unauthorized access or anomalies.
This breach serves as a stark reminder of the importance of robust cybersecurity practices and the need for vigilance in managing third-party integrations.
