Overview

In August 2025, a major cyberattack targeted Salesloft’s Drift platform, with wide-ranging consequences for organisations relying on its Salesforce integration. The breach enabled attackers to exploit OAuth tokens, granting access to Salesforce instances and exposing sensitive customer and business data. Confirmed victims now include Cloudflare, Palo Alto Networks, Zscaler, SpyCloud, Tanium, and Google, with breaches affecting Salesforce and Workspace accounts.

The threat group UNC6395, identified by Google Threat Intelligence, is linked to the incident, while the group ShinyHunters has also claimed responsibility. Attackers used the compromised OAuth tokens to query Salesforce data directly, extracting contacts, opportunities, and in some cases credentials and API tokens for cloud platforms.

  • Cloudflare: Core infrastructure remained secure. API tokens tied to Salesforce were rotated as a precaution.
  • Palo Alto Networks: Reported theft of business contacts, internal sales records, and support case details. Drift integrations have been disabled.
  • Zscaler: Customer names, emails, job titles, and license details accessed. No files or attachments were exposed. Tokens and APIs have since been rotated.
  • SpyCloud and Tanium: Confirmed impact, with further details under investigation.
  • Okta: Blocked attempted access through existing security measures, including inbound IP restrictions.

Salesloft has since taken Drift offline while working with Mandiant, Google Cloud IR, and Coalition to investigate. This incident highlights the significant risks tied to SaaS-to-SaaS integrations and the critical need for stronger oversight of third-party applications.

Affected systems include:

  • Salesforce CRM: Support cases and customer data exposed through OAuth exploitation.
  • Salesloft & Drift platforms: Entry point for attackers leveraging OAuth integrations.
  • API tokens & credentials: Keys for AWS, Snowflake, and other connected services at risk of compromise.

Recommended Remediations

ctrl:cyber strongly recommends the following actions:

  1. Disconnect Salesloft Integrations
    Immediately disable all Salesloft/Drift integrations with Salesforce or other platforms until vendor remediation is complete.
  2. Rotate Credentials and Tokens
    Reset all Salesforce-linked OAuth tokens, API keys, and secrets. Extend rotations to cloud platforms such as AWS, Snowflake, and Google Workspace if they were integrated.
  3. Audit Third-Party Access
    Review all connected apps for anomalous activity or bulk exports. Remove unused integrations and enforce least privilege access for those remaining.
  4. Review Vendor Communications
    Examine past Salesforce and vendor support cases for any exposed sensitive data (API keys, configuration details, or credentials).
  5. Enhance Monitoring
    Increase logging and alerting around OAuth usage, API queries, and bulk exports. Investigate downstream systems for signs of lateral movement.

Sources: ITPro – Salesforce customers warned after Salesloft Drift attack, TechRadar – Palo Alto Networks impact, ITPro – Zscaler confirms breach, TechRadar – Google warns of Workspace compromise.