A Salesloft Drift cyberattack has compromised the Salesforce environments of numerous organizations, exposing customer data and credentials in a growing software supply chain incident. Triggered by a compromise of OAuth tokens used in the Drift chatbot’s integration with Salesforce, the Salesloft Drift security breach has impacted companies across cybersecurity, cloud infrastructure, DevOps, and SaaS industries.
The Salesloft Drift cyberattack, which occurred between August 8–18, 2025, enabled threat actors to extract sensitive information from Salesforce instances using stolen authorization tokens. Google’s Threat Intelligence team identified the attacker as GRUB1, a threat group that systematically exploited the Salesloft Drift integration to conduct credential harvesting and metadata reconnaissance.
Cloudflare: ‘Failure in Vendor Oversight’
Cloudflare was among the most heavily impacted. Between August 12–17, the attacker accessed Cloudflare’s Salesforce case data using a compromised OAuth token issued to the Drift app. According to the company’s investigation, the attacker harvested metadata, ran queries against internal Salesforce objects, and eventually exfiltrated freeform customer support case text using Salesforce’s Bulk API 2.0.
Cloudflare’s internal tools later identified 104 exposed API tokens, all of which have since been rotated. The company acknowledged the breach as “a failure in third-party vendor oversight” and is now reevaluating its security policies around third-party integrations. Affected customers were contacted directly by September 2.
Dynatrace, Cato Networks, and Bugcrowd Affected
Dynatrace reported that the Salesloft Drift breach affected only its Salesforce CRM system, which is used for marketing purposes. Investigators confirmed that only limited business contact data was accessed. The company immediately deactivated Drift and involved third-party forensic experts. It emphasized that neither Dynatrace products nor infrastructure were affected.
Similarly, Cato Networks took immediate containment steps, revoking all Drift-related API access and launching an internal investigation. The data accessed was limited to case metadata and contact information. Cato’s threat intel unit, Cato CTRL, is monitoring the dark web for potential misuse, though no signs have surfaced yet.
Bugcrowd confirmed unauthorized access to its Salesforce environment but found no impact on vulnerability reports, customer data, or infrastructure. The company is collaborating with Salesforce and Salesloft to assess the full scope.
BeyondTrust and Zscaler: Proactive Revocation, No System Impact
BeyondTrust was alerted by Salesforce on August 22 and immediately revoked OAuth credentials and disabled Drift access. An internal investigation found no impact beyond Salesforce, and no customer data misuse has been detected.
Zscaler also acknowledged limited exposure of Salesforce data, including contact and licensing information. The company found no indication of misuse but continues to monitor closely.
PagerDuty and JFrog Respond
PagerDuty received a formal alert from Salesloft on August 20 confirming a compromise in the Drift OAuth flow. Investigators identified a few Salesforce cases that contained API keys. These keys were revoked, and affected customers were directly notified. PagerDuty advised all customers to rotate any credentials previously shared via Salesforce support cases.
JFrog reported potential unauthorized access on August 23. No misuse or broader compromise was found, but customers were advised to rotate any shared credentials as a precaution.
Nutanix and Elastic: Minimal Exposure
Nutanix confirmed that certain case metadata, like subject lines and descriptions, was accessed, but no file attachments or sensitive system data were involved. Elastic also reported limited access to business contact details stored in Salesforce, with no known misuse or impact on its operational environments.
GRUB1’s Attack Chain: Precision and Persistence
Cloudflare’s detailed forensics highlighted the attacker’s methodology:
- August 9: GRUB1 attempted to validate an API token via Salesforce.
- August 12–14: Unauthorized access began. The attacker enumerated Salesforce schemas and explored data structures.
- August 17: Using new infrastructure, GRUB1 executed a data exfiltration job via Salesforce Bulk API 2.0.
- August 20: Salesloft revoked all Drift OAuth credentials; Cloudflare had not yet received a formal alert.
- August 23–25: Salesforce and Salesloft formally notified customers, triggering mass revocations and internal containment across affected organizations.
Supply Chain Attack Landscape Intensifies
The Salesloft Drift security breach exemplifies the growing threat of supply chain attacks. According to Cyble, the rate of supply chain attacks has doubled since April 2025, now averaging 26 incidents per month. These attacks exploit the trust placed in third-party integrations, often bypassing internal security controls.
Cyble reported that at least 20 industries were affected in 2025 alone, and one ransomware group recently claimed to have exfiltrated data on 41,000 customers from a separate supply chain incident.
Security Takeaways from the Salesloft Drift Breach
The Salesloft Drift cyberattack stresses critical flaws in OAuth security and third-party risk management:
- OAuth tokens must be rotated frequently and tightly scoped.
- Third-party app access should be strictly limited and continuously audited.
- Organizations should centralize visibility into integrated platforms and enforce least privilege access.
- Rapid detection and revocation processes are vital to containing OAuth-related threats.
Salesforce has since removed Drift from the AppExchange, and Google has disabled Drift’s OAuth integration with Workspace. Salesloft has urged customers to revoke old API keys and reauthenticate with new credentials.
Related
Source link
