In response to a significant security breach, Salesloft has announced the temporary suspension of its Drift service. This decision comes after a sophisticated supply chain attack led to the mass theft of authentication tokens, impacting numerous organizations.
The breach, which occurred between August 8 and August 18, 2025, involved unauthorized access to OAuth and refresh tokens associated with Drift, an AI-powered chat agent integrated into various platforms, including Salesforce. Attackers exploited these tokens to infiltrate customer environments, leading to substantial data exfiltration.
Scope of the Breach
Initially believed to be confined to Salesloft’s integration with Salesforce, further investigations have revealed that any platform integrated with Drift may be compromised. Google’s Threat Intelligence Group (GTIG) and cybersecurity firm Mandiant have attributed the attack to a threat actor identified as UNC6395, also known as GRUB1. Reports indicate that over 700 organizations could potentially be affected.
Impact on Organizations
Several prominent companies have confirmed being impacted by the breach:
– Cloudflare: The company acknowledged that the incident was not isolated and suggested that the threat actor aimed to harvest credentials and customer information for future attacks. Cloudflare emphasized the potential for targeted attacks against customers across affected organizations.
– Zscaler: The security firm reported unauthorized access to its Salesforce data via compromised Drift tokens. The accessed information included business contact details such as names, email addresses, job titles, phone numbers, regional details, product licensing, and support case content. Zscaler has since revoked the Drift integration, rotated API tokens, and initiated a third-party risk investigation.
– Palo Alto Networks: The company confirmed that the breach was contained to its Salesforce CRM installation. Exfiltrated data included business contact information and internal case details. In some instances, sensitive information like credentials may have been disclosed if included in support case text. Palo Alto Networks assured that none of its products, systems, or services were compromised and that affected customers are being notified.
– SpyCloud: The cybersecurity firm is assessing the scope of impact on its Salesforce instance. Preliminary findings suggest that standard customer relationship management fields were accessed, with no evidence of consumer data exposure. SpyCloud has notified customers and taken measures to secure its environment.
Salesloft’s Response
In light of the breach, Salesloft has decided to take Drift offline temporarily. The company stated that this measure would allow for a comprehensive review of the application and the implementation of additional security measures to restore full functionality. As a result, the Drift chatbot on customer websites will be unavailable during this period.
Salesloft emphasized its commitment to ensuring the integrity and security of its systems and customers’ data. The company is collaborating with cybersecurity partners, including Mandiant and Coalition, as part of its incident response efforts.
Recommendations for Affected Organizations
In response to the breach, organizations using Drift are advised to:
1. Revoke and Rotate Credentials: Immediately revoke all active access and refresh tokens associated with Drift integrations. Rotate API keys and other credentials to prevent unauthorized access.
2. Monitor for Unauthorized Activity: Review system logs and monitor for any signs of unauthorized access or data exfiltration.
3. Enhance Security Measures: Implement additional security controls, such as multi-factor authentication and regular security audits, to strengthen defenses against potential attacks.
4. Stay Informed: Keep abreast of updates from Salesloft and other relevant authorities regarding the breach and follow recommended actions promptly.
Broader Implications
This incident underscores the vulnerabilities associated with third-party integrations and the importance of robust security practices. Organizations are reminded to exercise caution when integrating third-party applications and to regularly assess the security posture of their software supply chains.
As investigations continue, it is crucial for all affected entities to remain vigilant and proactive in addressing potential security risks stemming from this breach.
