- Cyber Syrup
- Posts
- Salesforce–Salesloft Drift Attack Impacts Over 700 Organizations
Salesforce–Salesloft Drift Attack Impacts Over 700 Organizations
A major supply chain attack has compromised data from hundreds of organizations worldwide
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
The Gold standard for AI news
AI keeps coming up at work, but you still don't get it?
That's exactly why 1M+ professionals working at Google, Meta, and OpenAI read Superhuman AI daily.
Here's what you get:
Daily AI news that matters for your career - Filtered from 1000s of sources so you know what affects your industry.
Step-by-step tutorials you can use immediately - Real prompts and workflows that solve actual business problems.
New AI tools tested and reviewed - We try everything to deliver tools that drive real results.
All in just 3 minutes a day
Salesforce–Salesloft Drift Attack Impacts Over 700 Organizations
A major supply chain attack has compromised data from hundreds of organizations worldwide, highlighting the growing risks tied to third-party integrations. Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable are the latest to confirm exposure of information stored within their Salesforce environments due to the Salesforce–Salesloft Drift attack.
The incident came to light on August 26, when Google’s threat intelligence team revealed that a threat actor, tracked as UNC6395, exploited compromised OAuth tokens associated with the Salesloft Drift AI chatbot integration. This allowed the attackers to export large volumes of data from Salesforce instances.
Scope of the Attack
Initially, the attack was thought to impact only organizations using Drift. However, subsequent investigations revealed that the compromise extended beyond this integration, affecting other Salesforce customers as well as Google Workspace users. To date, more than 700 organizations are estimated to have been impacted, including several high-profile cybersecurity companies.
Targeted data included:
AWS access keys
Passwords
Snowflake access tokens
Customer and support data
Confirmed Organizational Impact
Proofpoint: Attackers accessed its Salesforce tenant via the Drift integration and viewed stored information. The company stressed that no customer-protected data, software, or internal systems were compromised.
SpyCloud: Confirmed exposure of standard CRM fields from its Salesforce data, but stated that consumer data was not accessed. Customers were notified of the breach.
Tanium: Attackers accessed Salesforce-stored data including names, email addresses, phone numbers, and regional details. No compromise of the Tanium platform or internal systems occurred.
Tenable: Reported exposure of support case information, such as business contact details and case subject lines. While no misuse has been detected, the company took proactive steps, including credential rotations, application removal, and enhanced monitoring.
Security Lessons and Takeaways
This campaign highlights a pressing issue: the risk of supply chain and third-party integration attacks. Even companies with strong internal defenses can be exposed if trusted external services are compromised. OAuth tokens, in particular, represent a sensitive attack vector, as they often allow persistent and wide-ranging access without raising immediate alarms.
Organizations should consider:
Auditing third-party integrations and removing those that are unnecessary.
Rotating credentials and tokens regularly.
Implementing strict monitoring of third-party access and automated alerts for unusual data export activity.
Testing incident response plans to ensure rapid detection and containment when a trusted vendor is exploited.
Conclusion
The Salesforce–Salesloft Drift campaign underscores how modern enterprises face shared risks through interconnected ecosystems. While Proofpoint, SpyCloud, Tanium, and Tenable report no evidence of deeper compromise, the incident demonstrates the importance of zero-trust principles and continuous vigilance in safeguarding customer and organizational data.