Skip to main content

The Salesloft Drift data breach: what happened?

23rd September 2025

Discover how one attack impacted over 700 organisations.

In August of 2025, Salesloft – a company that provides tools to help sales teams manage relationships with their customers – had their Drift product targeted by a cyber attack, impacting all the companies using it, but particularly Salesforce.

Salesloft Drift is an AI powered chatbot that these companies had enabled on their websites to talk to visitors and help convert them into customers. Hackers managed to steal OAuth tokens (think of them like your personal keycards, but for getting into apps) from Drift, allowing them to access hundreds of companies’ Salesforce data, and other connected services.

The cyber criminals, tracked as UNC6395, then logged in to Salesforce and other applications as if they were genuine users, running queries to extract data, searching for credentials to launch further attacks and deleting logs to avoid detection.

Salesforce and Google have much more robust security: instead, bad actors targeted Drift, as third-party integrations often have a lot of access to important data, but without the same security in place.

Customer support tickets, contact details, AWS access keys, VPN credentials and Snowflake database tokens were all stolen by the attackers. Initially it was believed that only Salesforce was impacted, but it seems to be any platform connected to Drift (Google Workspace, Slack, Amazon S3, and Microsoft Azure).

Here are some of the companies that were impacted (there were over 700 in total):

·         Cloudflare – data was accessed, including 104 API tokens

·         Zscaler – contact info and support case content stolen

·         Palo Alto Networks – internal case details leaked

·         SpyCloud, Tanium, PagerDutySalesforce data compromised

·         Google – some Workspace accounts accessed

·         Adidas, Allianz Life, Qantas – victims of related social engineering attacks

As a result, more questions have been raised about the quality of the security third party applications have, as they are so often the vulnerability in the chain. Furthermore, the credential theft may lead to stolen keys/passwords being used elsewhere and targeted phishing attacks may be launch against users whose details were leaked.

In response, Salesloft have revoked all Drift tokens, removing Drift from Salesforce’s AppExchange and Salesforce itself disabled all Drift integrations. Companies like Cloudflare rotated all credentials and launched incident response teams while others like Google are investigating the root cause of the hack.

Were you impacted by the Salesloft Drift breach? If so, please contact Interfuture Security and see if we can help you.

YouTube: https://youtu.be/eMxqF958j0Q

Back to top