Salesloft Drift Breach Tracker

Elastic investigated the widespread Salesloft Drift OAuth incident disclosed on August 26, 2025, and determined its Salesforce environment was not impacted. However, Elastic identified exposure of a single email account connected through the Drift Email integration, which may have granted unauthorized read-only access to inbound emails. A small number of those emails contained potentially valid credentials. Elastic promptly notified the affected customers through established support channels and rotated impacted credentials. Immediate actions included disabling all Drift integrations. Elastic confirmed that no Elastic products, services, or infrastructure were affected.

Sigma Computing disclosed that it was impacted by the Salesloft Drift OAuth token compromise campaign targeting Salesforce customers. Unauthorized actors accessed Salesforce credentials linked to the Drift integration, granting them limited access to Sigma’s Salesforce environment. The exposed data included business contact information such as names, business email addresses, phone numbers, and business addresses. No Sigma products, services, or infrastructure were affected, and no evidence of misuse has been found. Sigma has conducted an extensive investigation and continues to monitor for any potential abuse of the exposed data.

Esker confirmed that it was impacted by the widespread Salesloft Drift OAuth token compromise targeting Salesforce customers. Attackers used stolen OAuth credentials between August 8 and August 18, 2025, to gain limited access to Esker’s Salesforce environment. The exposed data was confined to Salesforce support case content and included names, business email addresses, job titles, phone numbers, and plain text content from support tickets. Attached files and images were not affected. No other Esker corporate systems or customer cloud platforms were impacted. Esker immediately disabled Drift access, rotated tokens, launched a detailed investigation with Salesforce, activated dark web monitoring, and began a third-party vendor risk review. Customers are advised to remain vigilant for phishing or social engineering attempts referencing Esker support cases.

CyberArk confirmed that it was impacted by the Salesloft Drift supply chain incident, which allowed unauthorized access to Salesforce customer instances. Attackers leveraged compromised OAuth tokens to access CyberArk’s Salesforce CRM data. The exposed information was limited to business contact details, account and conversation metadata, and summary fields. No sensitive data such as credentials, API keys, passwords, secrets, documents, files, or customer support case information was accessed. CyberArk promptly disabled the Drift integration, revoked related credentials, rotated Salesforce integration keys, and engaged third-party forensics experts to verify containment. No CyberArk products, services, or internal systems were affected. Customers whose Salesforce data may have been exposed are being contacted directly. CyberArk has urged vigilance against potential phishing or social engineering attempts using exposed contact information.

Workiva disclosed that attackers exfiltrated limited data from its Salesforce CRM environment via a the Drift integration supply chain incident. The exposed information included business contact details such as names, email addresses, phone numbers, and support ticket content. Workiva emphasized that its platform and the data within it were not affected or compromised. The company has warned affected customers to remain vigilant against potential spear-phishing attacks leveraging the stolen information. Workiva continues to work with its CRM vendor and security partners to investigate and secure its environment. https://www.workiva.com/security-update

Cato Networks confirmed it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers between August 8–18, 2025. Attackers accessed limited Salesforce data, including customer business contact information, company attributes, and basic customer case information. Cato emphasized that the Cato SASE Cloud Platform, infrastructure, and production systems were not affected. Upon notification, Cato immediately disconnected the Drift integration, disabled relevant APIs and third-party integrations, and engaged internal and external experts to investigate. Cato’s threat intelligence team, Cato CTRL, has also activated dark web monitoring and found no evidence of misuse of the exposed data. Customers have been advised to remain vigilant against phishing and social engineering attempts leveraging the stolen data.

JFrog confirmed that it was impacted by the widespread Salesloft Drift incident, which exploited OAuth connections to Salesforce customer instances. On August 23, 2025, Salesforce notified JFrog of suspicious access to its Salesforce tenant via the Drift integration. While the JFrog Platform and customer product data were unaffected, the company discovered that some Salesforce records were accessed. Exposed data was limited to Salesforce-related records and did not involve the JFrog Platform, products, or secured customer data. JFrog immediately disabled all Salesloft/Drift integrations, initiated incident response protocols, and engaged cybersecurity experts to investigate. No evidence of ongoing malicious activity has been found.

Bugcrowd confirmed that it was impacted by the Salesloft Drift incident, which allowed attackers to gain unauthorized access to Salesforce customer instances. An unauthorized actor accessed certain data stored within Bugcrowd’s Salesforce environment via the compromised Drift application. The company emphasized that no Bugcrowd platform data, customer vulnerability information, payment details, or internal network systems were impacted. Bugcrowd immediately disabled the Drift application, secured access, and engaged both internal security teams and external cybersecurity experts to investigate the scope of the incident. No evidence of ongoing malicious activity or lateral movement beyond Salesforce has been found.

Heap disclosed that it was impacted by the widespread Salesloft Drift incident, which targeted Salesforce customers using Drift's integration. Salesforce notified Heap of unusual activity tied to the Drift application, indicating potential unauthorized access to Heap's Salesforce environment.

Megaport confirmed it was impacted by the Salesloft Drift supply chain incident, which allowed unauthorized access to a subset of its Salesforce data. The exposed information was limited to customer contact details, including names, titles, business email addresses, and business phone numbers.

Tenable disclosed that it was impacted by the widespread Salesforce–Salesloft Drift OAuth compromise campaign that has affected numerous organizations. An unauthorized actor accessed limited customer information from Tenable's Salesforce instance, including subject lines and initial descriptions from support cases.

BeyondTrust confirmed that it was impacted by the supply chain incident involving the compromised Salesloft Drift application. On August 22, 2025, Salesforce notified BeyondTrust of suspicious activity in which attackers used credentials tied to Drift integrations to access Salesforce customer instances.

Rubrik disclosed that it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers. On August 22, 2025, Salesforce notified Rubrik of suspicious activity suggesting potential unauthorized access to Rubrik's Salesforce instance through the compromised Drift integration.

Proofpoint disclosed that it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers. Salesforce initially identified suspicious activity tied to the Drift integration, which had been exploited to gain unauthorized access to Proofpoint's Salesforce tenant.

Tanium disclosed that it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers. Attackers obtained Tanium credentials from Salesloft Drift and gained limited access to Tanium's Salesforce instance.

PagerDuty disclosed that it was impacted by the Salesloft Drift OAuth token compromise, which attackers exploited to gain unauthorized access to Salesforce accounts across multiple organizations. On August 23, 2025, PagerDuty was informed that a threat actor may have accessed its Salesforce instance through this compromised authorization flow.

Cloudflare confirmed it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customer instances. Between August 12–17, 2025, the threat actor known as GRUB1 accessed Cloudflare's Salesforce tenant and exfiltrated customer support case data.

SpyCloud disclosed that it was impacted by the Salesloft Drift OAuth token compromise campaign targeting Salesforce customer instances. Attackers potentially accessed SpyCloud's Salesforce CRM data through a compromised OAuth token linked to the Salesloft Drift integration.

Palo Alto Networks confirmed that it was one of hundreds of organizations impacted by the widespread supply chain attack abusing compromised OAuth tokens from the Salesloft Drift integration with Salesforce. Attackers leveraged stolen tokens to access Palo Alto Networks' Salesforce instance and exfiltrate limited customer-related data.

Zscaler reports being impacted by a broader campaign targeting Salesloft Drift integrations with Salesforce. Attackers stole OAuth tokens associated with Salesloft Drift and used them to gain limited access to Zscaler's Salesforce data. Exposed information consisted of commonly available business contact details (names, business emails, job titles, phone numbers, region) along with Zscaler product licensing/commercial information and content from certain support cases.