WNC logo
The Salesloft Drift Security Incident

The Salesloft Drift Security Incident

9/10/2025
WNC Labs
Salesloft
Drift
Salesforce

A Comprehensive Analysis of One of 2025's Largest Supply Chain Breaches

In August 2025, the cybersecurity world witnessed one of the most significant supply chain attacks in recent history, targeting hundreds of organizations through a compromised third-party integration. The Salesloft Drift incident, which ultimately affected over 700 companies including major cybersecurity firms like Cloudflare, Palo Alto Networks, Zscaler, and Proofpoint, serves as a stark reminder of the vulnerabilities inherent in our interconnected SaaS ecosystem.

What Happened: The Attack Timeline

The breach began much earlier than initially disclosed. According to investigations by Google's Mandiant incident response unit, threat actors first gained access to Salesloft's GitHub account between March and June 2025. During this extended period, the attackers conducted reconnaissance activities, downloaded content from multiple repositories, added guest users, and established workflows - all while remaining undetected for months.

The attack escalated in August when the threat group, tracked as UNC6395 by Google Threat Intelligence, began actively exploiting their access. Between August 8-18, 2025, the attackers systematically targeted Salesforce customer instances using compromised OAuth tokens associated with the Salesloft Drift third-party application.

Key Timeline:

  • March-June 2025: Initial GitHub account compromise and reconnaissance

  • August 8-18, 2025: Active exploitation phase targeting Salesforce instances

  • August 20, 2025: Salesforce and Salesloft disable all Drift integrations globally

  • August 26, 2025: Google Threat Intelligence publicly discloses the incident

  • September 6, 2025: Salesloft takes Drift completely offline for security review

The Root Cause: GitHub Compromise

The investigation revealed that the entire incident stemmed from a breach of Salesloft's GitHub account that went undetected for approximately six months. This timeline raises critical questions about the company's security monitoring capabilities and detection systems.

Once inside the GitHub environment, attackers were able to access Drift's Amazon Web Services (AWS) environment and obtain OAuth tokens for customer technology integrations. These tokens provided the attackers with legitimate, trusted access to customer systems, allowing them to bypass traditional security controls.

Attack Methodology and Impact

The sophistication of UNC6395's approach was particularly concerning. Rather than relying on malware or obvious intrusion techniques, the attackers leveraged legitimate credentials and API traffic that resembled normal Salesforce activity. This made detection extremely difficult using conventional security tools.

Attack Techniques:

  • OAuth Token Theft: Stealing authentication tokens that provided persistent access to customer environments

  • SOQL Query Exploitation: Running targeted Salesforce Object Query Language (SOQL) queries to extract sensitive data

  • Bulk Data Exfiltration: Systematically exporting large volumes of data from Salesforce objects including Accounts, Contacts, Cases, and Opportunities

  • Credential Harvesting: Actively scanning exfiltrated data for embedded secrets such as AWS keys, Snowflake tokens, and passwords

  • Anti-Forensics: Deleting query jobs after execution to hide evidence, though audit logs remained intact

Data Exposure and Affected Organizations

The breach exposed a wide range of sensitive information across hundreds of organizations. The stolen data included:

  • Customer Data: Names, email addresses, phone numbers, and business contact information

  • Support Case Content: Detailed troubleshooting notes and logs provided by customers

  • Embedded Secrets: AWS access keys, API tokens, passwords, and Snowflake credentials stored in support cases

  • Business Intelligence: Sales pipeline data, customer interactions, and proprietary business strategies

Major affected organizations publicly confirmed their involvement, including Cloudflare (which identified 104 exposed internal tokens), Palo Alto Networks, Zscaler, PagerDuty, Tenable, Proofpoint, and many others. The incident also extended beyond Salesforce, affecting Google Workspace accounts, Slack integrations, and other connected services.

Impact on Salesforce and Its Ecosystem

While Salesforce itself was not the source of the vulnerability, the incident highlighted critical risks in the platform's third-party integration ecosystem. The attack demonstrated how a single compromised integration could provide widespread access to customer data across the Salesforce platform.

Immediate Salesforce Response:

  • Coordinated with Salesloft to revoke all active Drift OAuth tokens on August 20, 2025

  • Removed the Drift application from the Salesforce AppExchange marketplace

  • Issued security advisories to affected customers

  • Implemented additional monitoring for similar threats

The incident exposed fundamental challenges in Salesforce's third-party app ecosystem, where thousands of integrated applications create an expanded attack surface. Organizations using Salesforce integrations faced difficult decisions about balancing functionality with security risk.

The Future of Salesloft Drift

Following the incident, Salesloft took decisive action to address the security concerns and rebuild trust with its customer base:

Immediate Actions:

  • Engaged Mandiant for comprehensive incident response and forensic investigation

  • Took Drift completely offline on September 5, 2025, for security review and rebuilding

  • Isolated Drift infrastructure and rotated all affected credentials

  • Implemented improved segmentation controls between Salesloft and Drift applications

Long-term Implications: Salesloft announced that Drift would remain offline "temporarily" to allow for comprehensive security review and the implementation of additional resiliency measures. This extended downtime represents a significant business impact, as customers lose access to chatbot functionality and integration capabilities.

The incident has raised questions about Salesloft's security posture, particularly regarding the six-month detection delay for the initial GitHub compromise. The company faces the challenge of rebuilding customer trust while demonstrating improved security practices.

Recovery Efforts:

  • Salesforce has restored Salesloft platform integration (excluding Drift) as of September 7, 2025

  • Mandiant has verified containment and confirmed no ongoing threat actor presence

  • The company is working on comprehensive security improvements before bringing Drift back online

Broader Industry Implications and Lessons Learned

The Salesloft Drift incident represents more than just another data breach - it exemplifies the growing threat of supply chain attacks in the SaaS era. Several critical lessons emerge from this incident:

Supply Chain Vulnerability: The attack demonstrates how a single compromised vendor can create cascading effects across hundreds of organizations. Traditional security perimeters become meaningless when trusted integrations are compromised.

OAuth Token Security: The incident highlights the risks associated with OAuth tokens, which provide persistent access to integrated systems. Organizations must implement robust token management and monitoring practices.

Detection Challenges: The six-month detection delay for the initial compromise underscores the difficulty of monitoring distributed SaaS environments and the need for improved security monitoring capabilities.

Third-Party Risk Management: Organizations must reassess their approach to third-party risk management, implementing continuous monitoring and regular security assessments for all integrated applications.

Prevention and Mitigation Strategies

Based on the lessons learned from this incident, organizations should implement comprehensive strategies to prevent similar attacks:

Technical Controls:

  • Implement continuous monitoring of OAuth tokens and API activity

  • Deploy SaaS Security Posture Management (SSPM) solutions to monitor third-party integrations

  • Establish baseline behaviors for integrated applications and alert on anomalies

  • Regularly audit and rotate OAuth tokens and API credentials

Organizational Measures:

  • Conduct regular third-party risk assessments and security audits

  • Implement vendor risk scoring and continuous monitoring programs

  • Establish clear incident response procedures for supply chain compromises

  • Require security certifications and compliance standards from vendors

Policy and Governance:

  • Develop comprehensive third-party integration policies

  • Implement zero-trust principles for all SaaS integrations

  • Establish clear data classification and handling requirements

  • Require regular security reporting from integrated vendors

The Salesloft Drift incident serves as a watershed moment for SaaS security, highlighting the critical need for organizations to rethink their approach to third-party risk management and supply chain security. As the investigation concludes and Drift remains offline for security improvements, the broader industry must grapple with the fundamental challenges of securing interconnected SaaS ecosystems.

The incident's impact extends far beyond the immediate victims, serving as a stark reminder that in our interconnected digital world, security is only as strong as the weakest link in the supply chain. Organizations must invest in comprehensive security monitoring, robust vendor management, and proactive threat detection to protect against similar attacks in the future.

Related Articles

Salesforce Spring '26 Release: Unlocking Business Growth
salesforce

Salesforce Spring '26 Release: Unlocking Business Growth

Salesforce's Spring '26 release, now rolling out with early sandbox access as of January 9-10, 2026, emphasizes AI-powered setup, enhanced security, and streamlined admin tools.

How Salesforce AI and Data Cloud Will Shape Your 2026 Go-To-Market Strategy
Salesforce

How Salesforce AI and Data Cloud Will Shape Your 2026 Go-To-Market Strategy

Salesforce AI agents and Data Cloud form the backbone of 2026 GTM strategy, turning unified, real‑time customer data into trusted AI actions that boost productivity, forecast accuracy, personalisation, and revenue across sales, service, and key industries.