Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Cybersecurity
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
Salesloft Drift Breach: What Happened and How Does It Affect Me?
Last updated
December 1, 2025
{x} minute read

Salesloft Drift Breach: What Happened and How Does It Affect Me?

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Edward Kost
Senior Cybersecurity Writer
Edward is a cyber writer with a mechanical engineering background. His work has been referenced by academic institutions and government bodies.
Reviewed by
Phil Ross
Chief Information Security Officer
Phil is a Forrester Zero Trust Strategist leveraging decades of experience in enterprise cybersecurity architectures.
Table of contents
  • Updated September 9, 2025

UPDATE: Salesforce/Salesloft Integration Is Restored

As of a recent update, the integration between the Salesloft platform and Salesforce has been restored. Customers will be contacted directly by the Salesloft Customer Success team to assist with the data reconciliation process before the Salesforce sync is re-enabled

A forensic investigation by Mandiant has shed new light on the Salesloft Drift security incident. After being hired on August 28, 2025, Mandiant investigated the breach and, as of September 6, 2025, has confirmed that the incident is contained.

The investigation's most important finding is that the breach was centered on the Drift application environment. The separate Salesloft platform was not compromised for data exfiltration, and Mandiant verified the technical segmentation between the two systems.

Details of the Incident

Mandiant’s investigation found that the attacker was active primarily between March and June 2025.

The attack unfolded in a clear, multi-stage process.

Stage 1: Initial access via GitHub

The attacker first gained access to Salesloft's GitHub account. From there, they downloaded content from multiple code repositories, added a guest user, and established workflows to maintain their access.

Stage 2: Reconnaissance

The attacker then performed reconnaissance in both the Salesloft and Drift application environments. However, the investigation found no evidence of a deeper compromise within the core Salesloft application itself.

Stage 3: Pivot to Drift environment & credential theft

The attacker leveraged their position to access Drift’s AWS environment. Once inside, they stole OAuth tokens for Drift customers’ technology integrations.

Stage 4: Data exfiltration

Using the stolen OAuth tokens, the attacker accessed customer data through the active Drift integrations.

The attack was methodical, with Cloudflare's investigation showing attacker activity that included initial reconnaissance on August 9, expanded reconnaissance on August 13, and final data exfiltration on August 17.

Official response and containment activities

Salesloft, with validation from Mandiant, executed a swift and thorough response to contain the threat.

Drift application environment

  • The Drift infrastructure, application, and code have been isolated and contained.
  • The Drift Application has been taken offline.
  • All impacted credentials in the Drift environment have been rotated.

Salesloft application environment

  • Credentials in the Salesloft environment were proactively rotated.
  • Extensive threat hunting was performed across Salesloft infrastructure, and no additional Indicators of Compromise (IOCs) were found.
  • The Salesloft environment was rapidly hardened against the attacker's methods.

Resolution and service restoration

Following the initial containment, Salesloft has now restored the integration with Salesforce. The restoration process requires customers to engage with the Salesloft Customer Success team to perform data reconciliation. Once this is complete, the Salesforce sync can be safely re-enabled.

The integration between the Salesloft platform and Salesforce has been restored.

List of businesses impacted by the Salesloft Drift breach

Victims include major technology companies and several prominent cybersecurity vendors.

Company Date of Breach Summary of impact
BeyondTrust August 22, 2025 After being alerted by Salesforce to suspicious activity on August 22, 2025, BeyondTrust confirmed it was impacted by the supply chain incident involving the compromised Salesloft Drift application.
Bugcrowd August 22, 2025 An unauthorized party gained access to certain data within Bugcrowd's Salesforce environment through the compromised Drift application. The company stressed that its core platform data, customer vulnerability details, and payment information were not affected.
Cato Networks September 1, 2025 The company confirmed that it was affected between August 8-18, 2025. The breach resulted in unauthorized access to limited Salesforce data, including business contact information and basic details from customer support cases.
Cloudflare August 12, 2025 A threat actor accessed Cloudflare's Salesforce environment over a five-day period, from August 12 to August 17, 2025, and exfiltrated data related to customer support cases.
CyberArk September 4, 2025 The breach involved unauthorized access to the company's Salesforce CRM data via the Salesloft Drift supply chain incident. The exposed information was confined to business contact details and metadata from accounts and conversations.
Dynatrace September 2025 Dynatrace confirmed its Salesforce environment was compromised as part of the widespread incident, but stated the breach was confined to that specific system.
Elastic August 26, 2025 After investigating the widespread incident disclosed on August 26, 2025, Elastic determined that its own Salesforce environment was not impacted by the breach.
Esker August 2025 Attackers leveraged stolen OAuth credentials between August 8 and August 16 to gain limited access to Esker's Salesforce environment. The breach was restricted to the content of Salesforce support cases, exposing names, business contact details, and the text from support tickets.
Fastly August 13, 2025 Fastly confirmed that it was targeted between August 13 and August 18, 2025, with attackers gaining access to its Salesforce instance as part of the broader compromise.
Heap August 22, 2025 Salesforce notified Heap of unusual activity connected to the Drift application, which suggested that an unauthorized party may have gained access to Heap's Salesforce environment.
JFrog August 23, 2025 On August 23, 2025, the company was informed by Salesforce about suspicious access to its Salesforce tenant via the Drift integration. While some Salesforce records were accessed, the core JFrog Platform and its customer product data were not impacted.
Megaport August 22, 2025 The incident led to unauthorized access to a subset of the company's Salesforce data. The exposure was limited to customer contact information, such as names and business email addresses.
Nutanix August 18, 2025 The company confirmed it was impacted by the compromise that targeted Salesforce customers worldwide, with attackers gaining unauthorized access to data within Salesforce support cases.
PagerDuty August 23, 2025 PagerDuty was impacted when attackers exploited the compromised Salesloft Drift OAuth tokens to gain unauthorized access to Salesforce accounts across multiple organizations.
Palo Alto Networks September 2, 2025 The company was one of hundreds affected by the supply chain attack. Attackers used stolen OAuth tokens from the Drift integration to access the Palo Alto Networks Salesforce instance and extract a limited amount of customer-related data.
Proofpoint August 22, 2025 The company's Salesforce tenant was accessed by an unauthorized party that exploited the Drift integration. The breach was first identified by Salesforce, which detected suspicious activity tied to Drift.
Qualys September 6, 2025 Qualys confirmed it was among the organizations impacted by the supply chain incident, where attackers used stolen OAuth tokens to gain unauthorized access to its Salesforce customer instance.
Rubrik August 22, 2025 Following a notification from Salesforce about suspicious activity on August 22, 2025, Rubrik disclosed that its Salesforce instance was impacted by the compromised Drift integration.
Sigma Computing August 22, 2025 The company disclosed that it was impacted by the campaign targeting Salesforce customers. The breach resulted in unauthorized actors accessing Salesforce credential data.
SpyCloud September 1, 2025 The company disclosed that its Salesforce CRM data was potentially accessed by attackers who used a compromised OAuth token connected to the Salesloft Drift integration.
Tanium August 28, 2025 The incident involved attackers obtaining Tanium credentials from Salesloft Drift. These credentials were then used to gain access to Tanium's Salesforce instance.
Tenable August 22, 2025 An unauthorized actor gained access to a limited set of customer information within Tenable's Salesforce environment as part of the widespread compromise. The compromised data included subject lines and the initial descriptions from customer support cases.
Workiva August 20, 2025 Attackers exfiltrated a limited amount of data from the company's Salesforce CRM environment through the Drift integration. The exposed data included business contact details such as names and email addresses. Workiva confirmed its core platform was not compromised.
Zscaler August 30, 2025 The company reported that attackers used stolen OAuth tokens to gain limited access to its Salesforce data. The information exposed included business contact details, product licensing information, and the content from some customer support cases.

How to respond to the Salesloft Drift event

Given the nature of the breach, organizations using Salesloft Drift (especially those integrating it with third-party platforms like Salesforce) are urged to take immediate action to mitigate risk and investigate for potential compromise. 

The primary recommendations from security researchers fall into three main categories: investigation, remediation, and hardening.

1. Investigate for Compromise and Scan for Exposure

  • Review integrations: The first step is to review all third-party integrations connected to your organization's Drift instance. This can be done within the Drift Admin settings page.
  • Search logs for malicious activity: Within each integrated third-party application, search for the Indicators of Compromise (IoCs), such as IP addresses and User-Agent strings, provided by Google's Threat Intelligence Group. In Salesforce, this involves reviewing authentication activity from the Drift Connected App and looking for unusual RestApi Query events.
  • Scan for exposed secrets: Actively search your Salesforce objects and other integrated platforms for sensitive secrets that may have been exposed in the exfiltrated data. The threat actor specifically looked for credentials related to Amazon Web Services (AWS), Snowflake, and other services.

Salesloft Drift IOCs

Indicator Value Description
Salesforce-Multi-Org-Fetcher/1.0 Malicious User-Agent string
Salesforce-CLI/1.0 Malicious User-Agent string
python-requests/2.32.4 User-Agent string
Python/3.11 aiohttp/3.12.15 User-Agent string
208.68.36.90 DigitalOcean
44.215.108.109 Amazon Web Services
154.41.95.2 Tor exit node
176.65.149.100 Tor exit node
179.43.159.198 Tor exit node
185.130.47.58 Tor exit node
185.207.107.130 Tor exit node
185.220.101.133 Tor exit node
185.220.101.143 Tor exit node
185.220.101.164 Tor exit node
185.220.101.167 Tor exit node
185.220.101.169 Tor exit node
185.220.101.180 Tor exit node
185.220.101.185 Tor exit node
185.220.101.33 Tor exit node
192.42.116.179 Tor exit node
192.42.116.20 Tor exit node
194.15.36.117 Tor exit node
195.47.238.178 Tor exit node
195.47.238.83 Tor exit node

2. Revoke and rotate credentials

  • Rotate all connected tokens and keys: For every third-party application integrated with Drift, immediately revoke and rotate all API keys, credentials, and authentication tokens associated with the integration.
  • Rotate exposed credentials: If the investigation uncovers any hardcoded secrets or exposed credentials, they must be rotated immediately. This is critical to prevent the threat actor from using them to compromise other systems.

3. Harden access controls for the future

  • Enforce the Principle of Least Privilege: Ensure that connected applications like Drift have the minimum necessary permissions required to function. Avoid granting overly permissive scopes, such as "full" or "api," to third-party integrations.
  • Restrict access by IP address: Where possible, define trusted IP ranges for connected applications to restrict access to your corporate network. Okta successfully blocked this attack because the threat actor's connection attempt came from an unauthorized IP address.
  • Limit API access: In Salesforce, remove the "API Enabled" permission from general user profiles and grant it only to authorized users via a Permission Set.

4. Re-enable and Reconcile Integrations

For the Salesforce integration, do not re-enable the sync immediately. Wait for the Salesloft Customer Success team to contact you to guide you through the necessary data reconciliation steps.

How to check if you've been impacted by the Salesloft Drift event

To check if you have been impacted, your security team should:

  • Treat drift-related tokens as compromised: Given the scope of the incident, the safest approach is to treat any authentication tokens stored in or connected to the Drift platform as potentially compromised.
  • Audit third-party application logs: The most direct way to check for impact is to search the audit logs of any application integrated with Drift for malicious activity. You should search for suspicious queries or access patterns originating from the IP addresses and User-Agent strings in the IOC table above.
  • Review Salesforce authentication and API logs: Specifically, within Salesforce, administrators should review authentication activity associated with the Drift Connected App and look for unusual RestApi Query events that query 500 or more records.

Why is this an important issue for vendor risk management?

This incident is a key lesson in third-party risk. The attacker's entry point was a code repository, which they then used to pivot to a related but separate application (Drift). This highlights the need to scrutinize the security of all platforms a vendor operates, not just their main product.

The Salesloft Drift incident highlights several crucial issues for Vendor Risk Management:

  • Risk Concentration: The attack exposed the systemic risk created when many organizations rely on a central platform like Salesforce. When a single, widely used application integrated with that platform (in this case, Drift) is compromised, it creates a single point of failure with a massive blast radius, affecting numerous companies simultaneously — like we saw in the CrowdStrike incident.
  • Inherent trust is a bad habit: The attack's effectiveness relied on the inherent trust that organizations place in their third-party integrations. By hijacking legitimate OAuth tokens, the attackers could impersonate the Drift application, allowing their malicious data exfiltration queries to blend in with regular API traffic and bypass traditional security tools.
  • Identity risk is the new perimeter: The breach underscores that identity compromise is among the most pressing risks in SaaS environments. The attackers did not need to exploit a technical vulnerability in Salesforce; they simply needed to acquire valid credentials —  OAuth tokens issued through a normal authorization flow. This demonstrates that an organization's security is no longer defined by its network perimeter but by the security of all identities and applications with access to its data.
  • Everyone is at risk: The list of confirmed victims includes major technology providers and even prominent cybersecurity vendors like Cloudflare, Palo Alto Networks, and Zscaler. This proves that even organizations with mature security programs are susceptible to supply chain attacks, making rigorous third-party cyber risk management a critical pillar for all cybersecurity programs.

How to ensure you are protected against similar future attacks

Protecting your organization from similar supply chain attacks requires a proactive, defense-in-depth approach focused on managing third-party application risk.

  • Enforce the Principle of Least Privilege: A critical first step is to ensure that all third-party integrations, including Drift, are granted only the minimum necessary permissions to perform their intended function. Avoid assigning overly permissive scopes like "api" or "full access" to connected applications. If an attacker had compromised a token with fewer privileges, the potential for significant data loss would have been greatly reduced.
  • Implement strict access controls: Configure connected applications to only allow access from trusted IP ranges. This single control prevented the attackers from accessing Okta's Salesforce instance. You should also limit API access to only authorized users through the use of dedicated Permission Sets rather than enabling it by default on broad user profiles.
  • Assume breach and rotate credentials: As a matter of policy, immediately revoke and rotate all credentials, API keys, and authentication tokens for any application connected to a compromised third-party service. Any sensitive data or credentials that a customer may have shared with a vendor (e.g., in a support ticket) should be considered compromised and rotated immediately.
  • Integrate AI into your third-party risk program: Traditional vendor monitoring struggles to keep pace with the rapidly expanding digital supply chain. Integrating AI into your TPRM workflow bridges this critical visibility gap, making it possible to track changes to each critical vendor's security profile in real time.

How UpGuard is helping customers respond to the Salesloft Drift breach

UpGuard has shipped a number of updates to help its customers rapidily  respond to the Salesloft Drift supply chain attack:

Immediate Salesloft Drift visibility

Customers can now instantly see their exposure to Salesloft Drift wherever it appears in their IT ecosystem, as a detected product in their domain network via Breach Risk, and as a fouth-party vendor via Vendor Risk.

Salesloft Drift breach alert in UpGuard's incidents and news feed.
Salesloft Drift breach alert in UpGuard's incidents and news feed.
Salesloft Drft detected in the fourth-party vendor on the UpGuard platform.
Salesloft Drft detected in the fourth-party vendor on the UpGuard platform.

Salesloft post-incident impact questionnaire

This questionnaire helps teams quickly assess potential exposure to this incident, ensuring right information is collected for a more in-depth impact analysis.

Customizable Salesloft post-incident impact questionnaire template on the UpGuard platform
Customizable Salesloft post-incident impact questionnaire template on the UpGuard platform

How does UpGuard help security teams prepare for future incidents like this?

UpGuard provides specific capabilities to help security teams reduce the impact of future similar supply chain attacks:

  • Fourth-party identification: UpGuard detects relationships with your vendors' vendors (fourth parties), providing critical visibility into the entire digital supply chain to prevent security gaps from downstream providers.
  • Customizable questionnaires: The platform uses pre-built and customizable security questionnaires to conduct due diligence, ensuring that vendors meet your organization's specific security and reliability standards.
  • Vendor risk classification: UpGuard includes tools to classify vendors based on their level of access and potential risk, allowing security teams to focus their resources on the most critical third-party relationships.
  • Key document centralization for incident response: The platform offers a contract repository to store essential documentation, ensuring that response plans, service level agreements (SLAs), and liability information are easily accessible during an incident.

Related posts

Learn more about the latest issues in cybersecurity.
Cybersecurity

Risk Automations: The Shift From Catch-Up to Command

Connect intelligence to system execution with Risk Automations, your new resolution layer for risk. Reduce remediation from hours to seconds - read more.
Revashni Moodley
Revashni Moodley
December 1, 2025
Cybersecurity

Shai-Hulud's True Lesson for CISOs: A Crisis of Communication

Shai-Hulud was driven by a communication crisis between security and engineering. Get a CISO's perspective on how to finally bridge this gap.
Phil Ross
Phil Ross
December 1, 2025
Cybersecurity

UpGuard’s Updated Cyber Risk Ratings

Discover UpGuard's updates to its cyber risk ratings, including enhanced risk categorization and an improved scoring algorithm.
Nicholas Sollitto
Nicholas Sollitto
July 2, 2025
Cybersecurity

Introducing UpGuard's New SIG Lite Questionnaire

Streamline your data collection and vendor risk assessments with UpGuard’s SIG Lite risk-mapped questionnaire.
Caitlin Postal
Caitlin Postal
June 26, 2025
Attack Surface Management

Typosquatting Explained with Real-World Examples

Learn more about typosquatting, what it is, how it works, and how to protect your business. Explore legal strategies, tools, and real-world examples here.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Cybersecurity

Why is Cybersecurity Important?

If your business isn't concerned about cybersecurity, it's only a matter of time before you're an attack victim. Learn why cybersecurity is important.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
All posts