The 2025 Drift/Salesloft Breach:
What Happened, Who Was Affected,
and What to Do Next

Back to Blog

On August 20, 2025, Salesforce quietly removed Drift from its AppExchange marketplace. No announcement. No press release. Just a product disappearing from one of the largest enterprise software ecosystems in the world.

A few weeks later, the full picture emerged. Mandiant - Google's threat intelligence team - published a detailed technical report: a threat actor group designated UNC6395, also tracked as GRUB1, had conducted a sophisticated supply-chain attack against Salesloft's development infrastructure, then pivoted into Drift's customer environment and systematically extracted Salesforce data from over 700 organizations.

This post covers what happened, what was taken, who was affected, and - most importantly - what questions you should be asking every SaaS vendor you connect to your CRM.

What Happened: A Supply-Chain Attack in Three Stages

Stage 1: GitHub Compromise (March–June 2025)

The attack began not with Drift, and not with Salesforce. It began with Salesloft's GitHub repository. Between March and June 2025, UNC6395 gained persistent access to Salesloft's GitHub account. For approximately three months, the attackers maintained this access without detection - studying the codebase, understanding the architecture, and planning the next phase.

Stage 2: AWS Pivot and Token Theft (August 8–18, 2025)

In August, the attackers moved from GitHub into Drift's AWS cloud environment. Once inside, they targeted one specific asset: OAuth tokens. Drift's Salesforce integration used these tokens to authenticate on behalf of customer organizations - a standard integration pattern used across thousands of SaaS products.

The attackers stole these tokens and used them to impersonate Drift's legitimate service account. Because the tokens were valid, they bypassed Salesforce's MFA protections entirely. Between August 8 and 18, they used Salesforce's Bulk API 2.0 to programmatically export data from over 700 customer Salesforce organizations. The exports took minutes per organization. Once complete, the attackers deleted the query job records to cover their tracks.

Stage 3: Discovery and Disclosure (August–September 2025)

Cloudflare was among the first major organizations to publicly disclose their exposure. In a September 2, 2025 blog post, Cloudflare confirmed that case subject lines, body text, and customer contact information had been stolen. More significantly: 104 Cloudflare API tokens were found embedded in stolen support case data - the kind of credentials that sometimes appear when customers paste error outputs or configuration snippets into support tickets.

FINRA issued a formal cybersecurity alert to all member firms in September 2025, advising immediate assessment of Salesloft/Drift integrations and rotation of all credentials.

What Was Stolen

The data varied by organization, but based on confirmed disclosures and Mandiant's analysis, common categories included:

• Business contact records: names, titles, email addresses, phone numbers
• Salesforce objects: Accounts, Contacts, Opportunities, and Cases
• In many cases: API keys, cloud service tokens, and passwords embedded in support case text fields
• For Cloudflare specifically: 104 API tokens found in stolen case content

Who Was Affected

More than 700 organizations had their Salesforce data accessed. Among the 40+ publicly confirmed victims:

• Cloudflare
• Palo Alto Networks
• Zscaler
• Proofpoint
• PagerDuty
• Workday
• Toast
• Fastly
• HackerOne
• Nutanix
• BeyondTrust
• Avalara

A dedicated tracking site at driftbreach.com maintained a running list of confirmed affected organizations throughout the disclosure period.

Why This Attack Pattern Matters Beyond Drift

The Drift breach is significant not just because of its scale, but because of its mechanism. UNC6395 didn't attack Salesforce directly. They didn't attack the 700 affected organizations directly. They attacked a vendor that those organizations trusted with OAuth access to their Salesforce environments.

This is the third-party risk problem in its most concrete form. Every SaaS tool you connect to your CRM, your data warehouse, your email, or your identity provider is a potential vector. The question isn't just "is Salesforce secure?" - it's "is every vendor I've granted OAuth access to as secure as I need them to be?"

WTW (Willis Towers Watson) described the incident as "a cybersecurity wake-up call" for third-party risk management. ProcessUnity published an analysis titled "Lessons from the Drift/Salesloft Breach: A Wake-Up Call for Third-Party Risk Management."

Six Questions to Ask Every Vendor You Grant CRM Access To

In the wake of this breach, your security team should be asking these questions - not just of Drift, but of every SaaS vendor connected to your Salesforce or CRM environment:

1. How are OAuth tokens stored? Are they encrypted at rest? Who can access them within your infrastructure?
2. What access controls exist on your GitHub/source code repositories? The Drift breach started with a GitHub compromise, not a production system intrusion.
3. What is your security incident response timeline? How quickly was this detected vs. how long did it persist?
4. Do you have SOC 2 certification or audit in progress? This doesn't prevent all breaches, but it demonstrates a systematic security posture.
5. Do you maintain audit logs of all data access? Post-incident forensics require this.
6. What data do you actually need access to? Least-privilege principles apply to vendor integrations too.

What to Do If You Were Affected

If your organization used Drift or Salesloft with a Salesforce integration before August 2025, Mandiant's recommendations - corroborated by FINRA - were clear:

1. Immediately revoke all OAuth tokens granted to Salesloft and Drift applications in your Salesforce environment
2. Rotate all credentials that may have appeared in support case content - API keys, passwords, tokens, connection strings
3. Audit your connected app list in Salesforce for any other third-party apps with broad Bulk API access
4. Review case content for any historical tickets that may have contained sensitive credentials or configuration data
5. File a notification with your data protection officer if EU/UK/California customer data was in the exposed Salesforce objects

The Bigger Picture: Evaluating Chat Vendors After This Breach

For teams currently evaluating or replacing their conversational marketing and support platform, the Drift breach raises the bar for what "secure" means. Compliance documentation matters. Audit logs matter. How vendors handle GitHub access and production credential storage matters.

It also means "Drift is gone from AppExchange" is a real procurement blocker for organizations that require AppExchange certification. If your security or legal team needs to close that gap with a vendor that has documented security controls, a transparent compliance roadmap, and an audit log your team can actually review - that's worth a conversation.

The Bottom Line

The Drift/Salesloft breach illustrates the supply-chain risk of granting broad CRM OAuth access to third-party SaaS tools. Any vendor with access to your contact database is a potential attack surface. Review your connected app permissions, apply least-privilege access, and choose vendors who can demonstrate SOC 2 Type II compliance and clear incident response timelines.

Frequently Asked Questions

What happened to Drift?

Drift, a conversational marketing platform acquired by Salesloft, was involved in a supply-chain security breach in late 2024. Attackers compromised Drift's OAuth tokens, which had broad access to customer CRM systems, and exfiltrated contact data from Drift's customers - including names, email addresses, and company information.

Was there a Drift data breach?

Yes. The Drift/Salesloft incident resulted in unauthorized access to customer contact data. Attackers used compromised OAuth tokens to access CRM systems connected to Drift across multiple affected organizations. The breach was confirmed by Salesloft and covered by Cloudflare, WTW, and cybersecurity researchers in late 2024 and early 2025.

Is Drift safe to use?

Following the incident, Salesloft issued security updates and revoked compromised tokens. Any business that had Drift connected to their CRM during the affected period should audit what data was accessible and review remaining OAuth permissions. Apply least-privilege access to any third-party tool with CRM integration as a general security practice.

What is the Drift and Salesloft security incident?

The Drift/Salesloft security incident was a supply-chain attack where threat actors compromised OAuth tokens that Drift used to connect to customer CRM platforms. The attack gave attackers read access to contact records across multiple organizations. It highlights the risk of granting broad CRM access to third-party SaaS tools without least-privilege controls.

What should I do if my company used Drift?

If your company used Drift during the affected period: revoke any remaining Drift/Salesloft OAuth connections in your CRM, audit which contact records were accessible, notify affected individuals if required under GDPR, CCPA, or other applicable regulations, and review all third-party app OAuth permissions in your CRM using a least-privilege review.