Salesloft “Drift” Supply Chain Attack: What Happened, Who’s Affected, and How to Respond

Salesloft data breach

Between August 8–18, 2025, attackers abused compromised OAuth tokens associated with Salesloft’s Drift app to access and export data from hundreds of customers’ Salesforce orgs. Confirmed victims include Cloudflare, Zscaler, and Palo Alto Networks; Google reports a limited Workspace impact for a very small number of accounts specifically integrated with Drift. Salesloft has taken Drift offline and customers are being instructed to re-authenticate/revoke tokens. The stolen data appears to be largely CRM case and contact information, not product systems, but the phishing and social-engineering risk is high. SecurityWeekThe Cloudflare Blog The Hacker News Google Cloud

What we know so far (high-confidence facts)

  • Vector: Theft and misuse of OAuth tokens tied to the Drift integration, enabling API access to connected Salesforce instances. Salesloft has taken Drift offline and advised customers to re-authenticate to invalidate tokens.

  • Window of activity: Most compromises occurred Aug 8–18, 2025.

  • Confirmed organizations: Public disclosures include Cloudflare, Zscaler, and Palo Alto Networks; all three say impacts were confined to Salesforce/CRM data (support cases, business contact details, sales/account metadata). SecurityWeek

  • Google’s statement: A threat actor accessed a very small number of Google Workspace mailboxes only where customers had explicitly integrated those accounts with Drift; there is no indication of broader Workspace compromise. Google Cloud

  • Cloudflare’s details: Exposure was limited to Salesforce case objects (support tickets and related data) between Aug 12–17, following reconnaissance on Aug 9. No product systems impacted. The Cloudflare Blog

  • Root cause status: The initial access pathway into Drift remains unconfirmed as of today; investigation is ongoing. CyberScoop

Why this matters

This incident underscores a persistent blind spot in SaaS security: OAuth tokens and connected apps sit at the trust core of cloud-to-cloud integrations. When a widely used integration is compromised, blast radius extends to every tenant that granted it scopes—even with MFA and SSO in place, because token-based access often bypasses interactive login. Attackers then weaponize CRM data to launch credible phishing/vishing and business email compromise (BEC). Cybersecurity Dive

Likely data at risk

Public victim reports consistently point to business contact info, support case content, and sales/account metadata housed in Salesforce. In at least one disclosure, attachments/files were not included, but plain-text case content was. Treat all exposed contact data as fuel for targeted social-engineering. The Cloudflare Blog The Hacker News

Immediate actions for security and Salesforce admins

  1. Kill suspect tokens, then rotate:

    • In Salesforce, revoke all OAuth tokens granted to Drift (and any Salesloft/Drift connected apps), then re-authenticate only when vendor guidance says it’s safe.

    • Rotate any API keys, connected-app secrets, and integration user passwords used alongside Drift/Salesloft.

  2. Hunt for abuse (Aug 8–18 focus):

    • Review Login History, Setup Audit Trail, and Event Monitoring logs for unusual API volume, data export jobs, bulk queries, and access from new IPs tied to your integration user(s).

    • Cross-check for SOQL queries or Report exports that enumerate contacts/leads/cases at abnormal scale.

  3. Tighten scopes & access paths:

    • Minimize Drift/connected-app scopes to the least privileges required.

    • Bind integration users to IP allowlists, session policies, and transaction security rules in Salesforce.

  4. High-risk user comms:

    • Notify customer-facing teams that phishing and vishing is expected to increase; provide validated callback paths and challenge phrases for sensitive requests (wire changes, license updates, portal resets).

    • If regulatorily required, assess breach notification obligations by jurisdiction.

  5. SIEM & detections:

    • Add rules for anomalous API spikes from connected apps, report/data export surges, and off-hours access by integration users.

    • Track newly issued refresh tokens and token reuse from new ASNs/regions.

(These steps align with patterns disclosed by victims and investigators to date.) The Cloudflare Blog SecurityWeek CyberScoop

Medium-term hardening (SaaS & OAuth)

  • Inventory and rank all connected apps across your SaaS estate (Salesforce, Google Workspace, Slack, etc.). Enforce a register-to-run policy for third-party integrations.

  • Short-lived tokens and continuous re-auth for high-risk scopes; prefer service-to-service auth with narrow scopes over broad user-delegated grants.

  • Conditional access for tokens where supported (IP ranges, device posture, geo).

  • Integration users: unique per-app, read-only where possible, no admin perms, and separated by business unit to reduce lateral data exposure.

  • Event Monitoring SKUs (or equivalent): budget for them—you can’t defend what you can’t see.

  • Playbook for token theft: scripted bulk revocation, secret rotation, scope re-grant, and customer comms.

Indicators & signals worth checking in Salesforce

  • Connected App OAuth Usage: unexpected surges via Drift or unknown client IDs.

  • Report / Data Export Jobs: new or modified subscription reports, mass Data Loader actions, or API‐driven bulk query patterns.

  • Login Geo/ASN shifts for integration users during Aug 8–18.

  • Support Case Access at scale by non-human users.

(Exact values vary per tenant; use Event Monitoring logs and your SIEM to baseline and compare.)

Sources & further reading

  • Salesloft takes Drift offline; OAuth token abuse confirmed, hundreds affected. The Hacker News

  • Cloudflare post-mortem: exposure limited to Salesforce case objects; timeline Aug 9-17. The Cloudflare Blog

  • SecurityWeek roundup: Cloudflare, Palo Alto Networks, Zscaler confirm Salesforce impacts from the Salesloft Drift campaign (Aug 8-18). SecurityWeek

  • Google Threat Intelligence: limited Workspace mail access only for accounts explicitly integrated with Drift; broader Workspace unaffected. Google Cloud

  • CyberScoop: root cause still unconfirmed; investigation ongoing. CyberScoop

Need help?

If you use Salesforce or have Drift/Salesloft integrations anywhere in your stack, Pablosec can run a rapid SaaS compromise assessment, execute token revocation & secret rotation, and deploy detections for ongoing monitoring.

Similar Posts

NEED OUR SERVICES?

Contact Us Today!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

+0123 456 789