Salesloft Drift Breach - Track the Salesforce Incident

Pantheon confirmed it was impacted by the Salesloft Drift OAuth integration compromise targeting Salesforce customers. Between August 12–15, 2025, attackers exploited a vulnerability in the Drift app to gain unauthorized access to Pantheon’s Salesforce CRM environment. The incident resulted in the exfiltration of customer renewal information, internal sales account data, and some related contact details. Pantheon’s platform and customer-hosted websites were not affected. Upon learning of the incident on August 28, Pantheon immediately locked down Salesforce permissions, removed vulnerable applications, and launched a forensic investigation in collaboration with Salesforce and Salesloft. The company is also reviewing all third-party integrations to strengthen defenses and has pledged to share updates as more information becomes available.

HackerOne confirmed that it was impacted by the widespread Salesloft Drift OAuth compromise targeting Salesforce customers. On August 22, 2025, Salesforce notified HackerOne of potential unauthorized access, later confirmed by Salesloft. Attackers accessed a subset of records in HackerOne’s Salesforce instance through the compromised Drift integration. Due to HackerOne’s strict data segmentation and security controls, no customer vulnerability data or platform data was exposed. HackerOne immediately activated incident response protocols, partnered with Salesforce and Salesloft to assess the scope, and continues forensic analysis. Impacted customers will be notified directly if their information was affected.

Workday confirmed that it was impacted by the Salesloft Drift OAuth compromise targeting Salesforce customers. Upon notification on August 23, 2025, Workday immediately disconnected the Drift app, invalidated its tokens, and began removing related integrations. A forensic investigation confirmed that no customer tenants or tenant data were accessed. The threat actor’s access was limited to a small subset of Workday’s Salesforce records, which included business contact information, basic support case details, tenant attributes (such as tenant and data center names, product names, services, training records, and event logs). No external files, contracts, or attachments were compromised. While Workday advises customers not to share credentials in support cases, the company is proactively reviewing all case data to identify any sensitive information such as credentials and will notify affected customers directly. Customers are urged to rotate any credentials previously shared in support cases and remain vigilant against phishing attempts.

Fastly confirmed it was affected by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers between August 13–18, 2025. Attackers, tracked as UNC6395 by Mandiant, gained unauthorized access to Fastly’s Salesforce instance and exfiltrated limited support case data, including case subjects, descriptions, and customer contact information. No Fastly services, infrastructure, or products were impacted. Upon detection, Fastly disabled all Drift integrations, reset OAuth sessions, analyzed audit logs, and coordinated with Salesforce to confirm containment. Impacted customers were notified via Fastly Service Advisories starting September 4, 2025. Customers are advised to rotate any credentials previously shared in support cases and remain vigilant for phishing or social engineering attempts.

Dynatrace confirmed that it was among the organizations affected by the Salesloft Drift OAuth token compromise targeting Salesforce customers. The breach was confined to Dynatrace’s Salesforce CRM environment, which is used for customer management and marketing. Exposed data was limited to business contact information, including customer contact names and company identifiers. Dynatrace does not use Salesforce case functions, meaning no support case information was impacted. No Dynatrace products, services, or systems containing customer data were affected, and there was no disruption to operations. Upon notification, Dynatrace disabled Drift integrations, launched an internal investigation with external experts, and has since been informed that Salesforce has re-enabled the connections. Customers are advised to remain vigilant against phishing or social engineering attempts using exposed business contact data.

Qualys confirmed it was among the organizations impacted by the Salesloft Drift supply chain incident, where attackers exploited stolen OAuth tokens to gain unauthorized access to Salesforce customer instances. The exposed data was limited to Salesforce business records and did not affect Qualys production environments, platforms, codebase, or customer data stored on the Qualys Cloud Platform, Agents, or Scanners. All Qualys services remained fully operational throughout the incident. Upon notification, Qualys immediately disabled Drift integrations, contained potential access, and launched a thorough investigation with support from Salesforce and Mandiant. The company continues to monitor the situation and has pledged to notify customers if further relevant information emerges.

Nutanix confirmed that it was impacted by the Salesloft Drift OAuth compromise that targeted Salesforce customers worldwide. Attackers gained unauthorized access to Salesforce support case records for a subset of Nutanix customers. The exposed data included fields from Salesforce cases such as business contact information, subject lines, descriptions, and in limited instances, support case correspondence. No files, attachments, or Nutanix products and services were affected. Nutanix promptly disabled the Drift integration, launched an internal investigation, and directly notified impacted customers. At this time, there is no evidence that the accessed data has been misused. The company continues to collaborate with Salesforce and external security experts to monitor and analyze the incident.

Elastic investigated the widespread Salesloft Drift OAuth incident disclosed on August 26, 2025, and determined its Salesforce environment was not impacted. However, Elastic identified exposure of a single email account connected through the Drift Email integration, which may have granted unauthorized read-only access to inbound emails. A small number of those emails contained potentially valid credentials. Elastic promptly notified the affected customers through established support channels and rotated impacted credentials. Immediate actions included disabling all Drift integrations. Elastic confirmed that no Elastic products, services, or infrastructure were affected.

Sigma Computing disclosed that it was impacted by the Salesloft Drift OAuth token compromise campaign targeting Salesforce customers. Unauthorized actors accessed Salesforce credentials linked to the Drift integration, granting them limited access to Sigma’s Salesforce environment. The exposed data included business contact information such as names, business email addresses, phone numbers, and business addresses. No Sigma products, services, or infrastructure were affected, and no evidence of misuse has been found. Sigma has conducted an extensive investigation and continues to monitor for any potential abuse of the exposed data.

Esker confirmed that it was impacted by the widespread Salesloft Drift OAuth token compromise targeting Salesforce customers. Attackers used stolen OAuth credentials between August 8 and August 18, 2025, to gain limited access to Esker’s Salesforce environment. The exposed data was confined to Salesforce support case content and included names, business email addresses, job titles, phone numbers, and plain text content from support tickets. Attached files and images were not affected. No other Esker corporate systems or customer cloud platforms were impacted. Esker immediately disabled Drift access, rotated tokens, launched a detailed investigation with Salesforce, activated dark web monitoring, and began a third-party vendor risk review. Customers are advised to remain vigilant for phishing or social engineering attempts referencing Esker support cases.

CyberArk confirmed that it was impacted by the Salesloft Drift supply chain incident, which allowed unauthorized access to Salesforce customer instances. Attackers leveraged compromised OAuth tokens to access CyberArk’s Salesforce CRM data. The exposed information was limited to business contact details, account and conversation metadata, and summary fields. No sensitive data such as credentials, API keys, passwords, secrets, documents, files, or customer support case information was accessed. CyberArk promptly disabled the Drift integration, revoked related credentials, rotated Salesforce integration keys, and engaged third-party forensics experts to verify containment. No CyberArk products, services, or internal systems were affected. Customers whose Salesforce data may have been exposed are being contacted directly. CyberArk has urged vigilance against potential phishing or social engineering attempts using exposed contact information.

Workiva disclosed that attackers exfiltrated limited data from its Salesforce CRM environment via a the Drift integration supply chain incident. The exposed information included business contact details such as names, email addresses, phone numbers, and support ticket content. Workiva emphasized that its platform and the data within it were not affected or compromised. The company has warned affected customers to remain vigilant against potential spear-phishing attacks leveraging the stolen information. Workiva continues to work with its CRM vendor and security partners to investigate and secure its environment. https://www.workiva.com/security-update

Cato Networks confirmed it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers between August 8–18, 2025. Attackers accessed limited Salesforce data, including customer business contact information, company attributes, and basic customer case information. Cato emphasized that the Cato SASE Cloud Platform, infrastructure, and production systems were not affected. Upon notification, Cato immediately disconnected the Drift integration, disabled relevant APIs and third-party integrations, and engaged internal and external experts to investigate. Cato’s threat intelligence team, Cato CTRL, has also activated dark web monitoring and found no evidence of misuse of the exposed data. Customers have been advised to remain vigilant against phishing and social engineering attempts leveraging the stolen data.

JFrog confirmed that it was impacted by the widespread Salesloft Drift incident, which exploited OAuth connections to Salesforce customer instances. On August 23, 2025, Salesforce notified JFrog of suspicious access to its Salesforce tenant via the Drift integration. While the JFrog Platform and customer product data were unaffected, the company discovered that some Salesforce records were accessed. Exposed data was limited to Salesforce-related records and did not involve the JFrog Platform, products, or secured customer data. JFrog immediately disabled all Salesloft/Drift integrations, initiated incident response protocols, and engaged cybersecurity experts to investigate. No evidence of ongoing malicious activity has been found.

Bugcrowd confirmed that it was impacted by the Salesloft Drift incident, which allowed attackers to gain unauthorized access to Salesforce customer instances. An unauthorized actor accessed certain data stored within Bugcrowd’s Salesforce environment via the compromised Drift application. The company emphasized that no Bugcrowd platform data, customer vulnerability information, payment details, or internal network systems were impacted. Bugcrowd immediately disabled the Drift application, secured access, and engaged both internal security teams and external cybersecurity experts to investigate the scope of the incident. No evidence of ongoing malicious activity or lateral movement beyond Salesforce has been found.

Heap disclosed that it was impacted by the widespread Salesloft Drift incident, which targeted Salesforce customers using Drift's integration. Salesforce notified Heap of unusual activity tied to the Drift application, indicating potential unauthorized access to Heap's Salesforce environment.

Megaport confirmed it was impacted by the Salesloft Drift supply chain incident, which allowed unauthorized access to a subset of its Salesforce data. The exposed information was limited to customer contact details, including names, titles, business email addresses, and business phone numbers.

Tenable disclosed that it was impacted by the widespread Salesforce–Salesloft Drift OAuth compromise campaign that has affected numerous organizations. An unauthorized actor accessed limited customer information from Tenable's Salesforce instance, including subject lines and initial descriptions from support cases.

BeyondTrust confirmed that it was impacted by the supply chain incident involving the compromised Salesloft Drift application. On August 22, 2025, Salesforce notified BeyondTrust of suspicious activity in which attackers used credentials tied to Drift integrations to access Salesforce customer instances.

Rubrik disclosed that it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers. On August 22, 2025, Salesforce notified Rubrik of suspicious activity suggesting potential unauthorized access to Rubrik's Salesforce instance through the compromised Drift integration.

Proofpoint disclosed that it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers. Salesforce initially identified suspicious activity tied to the Drift integration, which had been exploited to gain unauthorized access to Proofpoint's Salesforce tenant.

Tanium disclosed that it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customers. Attackers obtained Tanium credentials from Salesloft Drift and gained limited access to Tanium's Salesforce instance.

PagerDuty disclosed that it was impacted by the Salesloft Drift OAuth token compromise, which attackers exploited to gain unauthorized access to Salesforce accounts across multiple organizations. On August 23, 2025, PagerDuty was informed that a threat actor may have accessed its Salesforce instance through this compromised authorization flow.

Cloudflare confirmed it was impacted by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customer instances. Between August 12–17, 2025, the threat actor known as GRUB1 accessed Cloudflare's Salesforce tenant and exfiltrated customer support case data.

SpyCloud disclosed that it was impacted by the Salesloft Drift OAuth token compromise campaign targeting Salesforce customer instances. Attackers potentially accessed SpyCloud's Salesforce CRM data through a compromised OAuth token linked to the Salesloft Drift integration.

Palo Alto Networks confirmed that it was one of hundreds of organizations impacted by the widespread supply chain attack abusing compromised OAuth tokens from the Salesloft Drift integration with Salesforce. Attackers leveraged stolen tokens to access Palo Alto Networks' Salesforce instance and exfiltrate limited customer-related data.

Zscaler reports being impacted by a broader campaign targeting Salesloft Drift integrations with Salesforce. Attackers stole OAuth tokens associated with Salesloft Drift and used them to gain limited access to Zscaler's Salesforce data. Exposed information consisted of commonly available business contact details (names, business emails, job titles, phone numbers, region) along with Zscaler product licensing/commercial information and content from certain support cases.