Supply Chain Impact: Salesloft Drift, an AI Chat Bot Nightmare

Between August 8 and 18, a stealthy adversary, tracked by Google as UNC6395 is suspected to have, quietly harvested OAuth and refresh tokens via the Salesloft Drift AI chat integration with Salesforce. At first glance, the breach appeared limited.

Salesloft initially reassured that only Salesforce linked users were affected. Yet as the investigation deepened, the threat surface expanded.

Google has confirmed cases impacting other integrations other than SalesForce CRM instances with Drift Mail impacting a limited number of Google Workspace accounts including Elastic being impacted.

At the time of writing, twenty-six (26) organisations have reported being affected by the incident. This number is expected to rise, with hundreds of companies potentially at risk.

Salesforce the most widely reported on integration disabled all integrations with Salesloft as a precaution which have since been restored. Salesloft state “While the connection between systems was disabled, both Salesloft and Salesforce continued to run independently. The Salesloft Customer Success team will be reaching out to you directly to help you with data reconciliation before we can re-enable your Salesforce sync.”

Risks by supply-chain vendor

The risks below are subject to change as each vendor progresses their investigation.

The vendors listed below are known to be impacted by Salesloft Drift.

Exclaimer

Compromise: Salesloft integration with Salesforce

Impacted Data: Email addresses via Salesloft Drift communication.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: Direct to customer

Palo Alto Networks

Compromise: Salesloft integration with Salesforce

Impacted Data: Business contact information, internal sales account and basic case data related to our customers.

Action: Heightened awareness of phishing attacks using information gathered.

Ref: https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/

Tenable

Compromise: Salesloft integration with Salesforce

Impacted Data: A portion of some of our customers’ information stored in our Salesforce instance, including subject lines and initial descriptions provided by our customers when opening a Tenable support case, and commonly available business contact information (such as names, business email addresses, phone numbers, and regional/location references).

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.tenable.com/blog/tenable-response-to-salesforce-and-salesloft-drift-incident

Zscaler

Compromise: Salesloft integration with Salesforce

Impacted Data: Names, business email addresses, job titles, phone numbers, regional/location detail, Zscaler product licensing and commercial information. Plain text content from certain support cases [this does NOT include attachments, files, and images]

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered. License reuse. Information gathered from support chats may impact Zscaler customers potential lateral movement risk if sensitive data has been shared via support communications.

Ref: https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response

Pager Duty

Compromise: Salesloft integration with Salesforce

Impacted Data: Names, phone numbers, and email addresses.

Action: Heightened awareness of phishing attacks using information gathered.

Ref: https://www.pagerduty.com/blog/news-announcements/salesloft-drift-data-breach-update-to-our-customers/

Cloudflare

Compromise: Salesloft integration with Salesforce

Impacted Data: Support cases, the subject line of the Salesforce case, the body of the case (freeform text which may include any correspondence including keys, secrets, etc., if provided by the customer to Cloudflare), customer contact information (for example, company name, requestor email address and phone number, company domain name, and company country)

Action: Reset of credentials potentially shared to Cloudflare via support cases. Heightened awareness of phishing attacks using information gathered.

Ref: https://blog.cloudflare.com/response-to-salesloft-drift-incident/

Spycloud

Compromise: Salesloft integration with Salesforce

Impacted Data: Unknown

Action: Heightened awareness of phishing attacks using information gathered. Be cautious of unusual communications related to your relationship with SpyCloud – for example, emails requesting or specifying payment terms.

Ref: https://spycloud.com/newsroom/salesloft-drift-incident-spycloud-response/

Tanium

Compromise: Salesloft integration with Salesforce

Impacted Data: Names, business email addresses, phone numbers, regional/location references

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.tanium.com/blog/salesloft-drift-data-breach-what-we-know-and-what-were-doing/

Proofpoint

Compromise: Salesloft integration with Salesforce

Impacted Data: Unknown - TA accessed Proofpoint’s Salesforce tenant through the compromised Drift integration and viewed certain information stored in our Salesforce instance.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.proofpoint.com/us/blog/corporate-news/salesloft-drift-supply-chain-incident-response

Rubrik

Compromise: Salesloft integration with Salesforce

Impacted Data: Investigation ongoing

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.rubrik.com/blog/company/25/salesforce-connected-third-party-drift-application-supply-chain-incident-response

BeyondTrust

Compromise: Salesloft integration with Salesforce

Impacted Data: Based on our investigation, the threat actors had limited access to our Salesforce data and the impact was limited to Salesforce.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.beyondtrust.com/trust-center/security-advisories/salesforce-salesloft-drift-security-incident

Megaport

Compromise: Salesloft integration with Salesforce

Impacted Data: Limited to names and titles, business email addresses, business phone numbers

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://trust.megaport.com/?tcuUid=f3ee3f57-2b3c-4b77-96b2-aad93acd0c47

Heap

Compromise: Salesloft integration with Salesforce

Impacted Data: Confirmed that a subset of records within Heap’s Salesforce instance was accessed by the threat actor.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://trust.contentsquare.com/?tcuUid=2c81adf8-1e70-4130-9d1d-94966df59058

BugCrowd

Compromise: Salesloft integration with Salesforce

Impacted Data: TBD - Identified evidence that certain information stored within our Salesforce instance was accessed by an unauthorised user.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.bugcrowd.com/blog/bugcrowd-response-to-salesforce-linked-third-party-drift-application-security-event/

Jfrog

Compromise: Salesloft integration with Salesforce

Impacted Data: TBD – “investigation is ongoing, we have discovered that some data stored in JFrog's Salesforce instance was accessed by leveraging illegitimate access to the Drift Application.”

Action: Following security best practices, we recommend revocation and rotation of credentials/keys/secrets and monitoring your environment for any unusual activity.

Ref: https://jfrog.com/help/r/salesforce-data-incident-identified-linked-to-third-party-salesloft-drift/salesforce-data-incident-identified-linked-to-third-party-salesloft-drift

Workiva

Compromise: Salesloft integration with Salesforce

Impacted Data: Within Salesforce – Names, email addresses, phone numbers, and support ticket content.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.bleepingcomputer.com/news/security/saas-giant-workiva-discloses-data-breach-after-salesforce-attack/

Akamai

Compromise: Salesloft integration with Salesforce

Impacted Data: Limited service support tickets, Akamai corporate email addresses and phone numbers, customer corporate email addresses and phone numbers, pseudonymised email addresses. A services-related support case description which included one outdated and inactive API token, and one active API token

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered. Rotate API tokens.

Ref: Direct to customer

Cyberark

Compromise: Salesloft integration with Salesforce

Impacted Data: The data accessed by the threat actor was limited to that contained in our Salesforce CRM, and may include business contact information, account and conversation metadata, and summary fields.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.cyberark.com/resources/blog/salesloft-drift-incident-overview-and-cyberarks-response

Unknown

Compromise: Salesloft integration with Drift Email – Google Workspace

Impacted Data: Small number of Google Workspace accounts.

Action: Google recommends organisations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.

Ref: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift

Cato

Compromise: Salesloft integration with Salesforce

Impacted Data: The exposed Salesforce data included: customer business contact information, company attributes, and basic customer case information.

Action: Review inbound communications carefully. Validate senders independently. Protect login credentials.

Ref: https://www.catonetworks.com/blog/cato-networks-statement-on-salesforce-salesloft-drift-incident/

Esker

Compromise: Salesloft integration with Salesforce

Impacted Data: Potential data: names, business email addresses, job titles, phone numbers, plain text content from support tickets.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.esker.com/blog/esker-news-and-culture/salesloft-and-drift-oauth-incident-affecting-salesforce-data-what/

Blackduck

Compromise: Salesloft integration with Salesforce

Impacted Data: Exfiltrated data includes: names, business email addresses, job titles, phone numbers, regional/location details, service arrangement data, plain text content from support cases.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://community.blackduck.com/s/article/Salesloft-Drift-Breach-Impact-on-Black-Duck-Update-to-Our-Customers

Nutanix

Compromise: Salesloft integration with Salesforce

Impacted Data: The impacted data was limited to customer support case records within our Salesforce environment that contained certain fields that primarily included business contacts and/or information relating to the case such as the Subject field of the support case, the description field of the support case, and in limited instances, support case correspondence.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.nutanix.com/blog/third-party-salesloft-drift-application-incident-response-our-impact-and-action 

Qualys

Compromise: Salesloft integration with Salesforce

Impacted Data: Vague - Limited access to Salesforce information

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://blog.qualys.com/misc/2025/09/06/salesloft-drift-supply-chain-incident

Dynatrace

Compromise: Salesloft integration with Salesforce

Impacted Data: Salesforce no case information. Limited to business contact information, including first and last names of customer contacts and company identifiers.

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.dynatrace.com/news/blog/salesloft-drift-incident-dynatraces-response/

Fastly

Compromise: Salesloft integration with Salesforce

Impacted Data: Was isolated to our Salesforce instance and the data accessed was limited to case subjects, descriptions, and contact details. 

Action: Heightened awareness of phishing attacks and social engineering attacks using information gathered.

Ref: https://www.fastlystatus.com/incident/377884

Elastic

Compromise: Salesloft integration with Drift Email – Google Workspace

Impacted Data:After scanning the contents of this inbox, we identified a small number of inbound emails that included potentially valid credentials. For each of these cases where we identified a potential credential leak, we notified customers through existing support channels. If you did not receive notice from us, we did not identify you as an affected customer.

Action: Rotate credentials where affected. Heightened awareness of phishing attacks and social engineering attacks using information gathered. 

Ref: https://www.elastic.co/blog/elastic-update-salesloft-drift-security-incident

Map of Supply Chain

Recommendations for customers not directly impacted but are impacted by a third party

• Continue to monitor for new incident response updates from your vendors.
• Increase phishing awareness for employees impacted.
• Investigate if your support case or communication data may contain sensitive data. In some cases, you may have shared credentials, API keys, configuration details, or other sensitive data within chats.
• Contact your vendors if you’re unsure if they’re impacted.

Recommendations for those directly impacted by Salesloft Drift integration

• Revoke and rotate all OAuth tokens associated with Drift and credentials.
• Investigate audit logs within Salesforce and any applications related to Salesloft Drift.
• Enforce least privilege
• If directly impacted assess the data accessed. Review all customer support case data with your third-party providers to identify what sensitive information may have been exposed. Look for cases containing credentials, API keys, configuration details, or other sensitive data that customers may have shared.

References

• https://thehackernews.com/2025/09/salesloft-takes-drift-offline-after.html
• https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response
• https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/
• https://www.pagerduty.com/blog/news-announcements/salesloft-drift-data-breach-update-to-our-customers/
• https://blog.cloudflare.com/response-to-salesloft-drift-incident/
• https://spycloud.com/newsroom/salesloft-drift-incident-spycloud-response/
• https://www.tanium.com/blog/salesloft-drift-data-breach-what-we-know-and-what-were-doing/
• https://cyberscoop.com/salesloft-drift-compromise-scope-expands
• https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
• https://www.tenable.com/blog/tenable-response-to-salesforce-and-salesloft-drift-incident
• https://www.proofpoint.com/us/blog/corporate-news/salesloft-drift-supply-chain-incident-response
• https://www.rubrik.com/blog/company/25/salesforce-connected-third-party-drift-application-supply-chain-incident-response
• https://www.beyondtrust.com/trust-center/security-advisories/salesforce-salesloft-drift-security-incident
• https://trust.megaport.com/?tcuUid=f3ee3f57-2b3c-4b77-96b2-aad93acd0c47
• https://trust.contentsquare.com/?tcuUid=2c81adf8-1e70-4130-9d1d-94966df59058
• https://www.bugcrowd.com/blog/bugcrowd-response-to-salesforce-linked-third-party-drift-application-security-event/
• https://jfrog.com/help/r/salesforce-data-incident-identified-linked-to-third-party-salesloft-drift/salesforce-data-incident-identified-linked-to-third-party-salesloft-drift
• https://www.bleepingcomputer.com/news/security/saas-giant-workiva-discloses-data-breach-after-salesforce-attack/
• https://www.cyberark.com/resources/blog/salesloft-drift-incident-overview-and-cyberarks-response
• https://www.catonetworks.com/blog/cato-networks-statement-on-salesforce-salesloft-drift-incident/
• https://www.esker.com/blog/esker-news-and-culture/salesloft-and-drift-oauth-incident-affecting-salesforce-data-what/
• https://community.blackduck.com/s/article/Salesloft-Drift-Breach-Impact-on-Black-Duck-Update-to-Our-Customers
• https://www.nutanix.com/blog/third-party-salesloft-drift-application-incident-response-our-impact-and-action
• https://blog.qualys.com/misc/2025/09/06/salesloft-drift-supply-chain-incident
• https://www.dynatrace.com/news/blog/salesloft-drift-incident-dynatraces-response/
• https://www.fastlystatus.com/incident/377884
• https://www.elastic.co/blog/elastic-update-salesloft-drift-security-incident