Cybersecurity Breach: The Salesloft Drift Incident

Recent news has highlighted a significant cybersecurity incident involving the Salesloft Drift integration, which has put organisations across various sectors, including cybersecurity, cloud infrastructure, DevOps, and SaaS, on alert. This breach has serious implications, exposing customer data and credentials and underscoring vulnerabilities associated with software supply chains.

Overview of the Breach

The Salesloft Drift breach occurred between August 8 and August 18, 2025. During this period, attackers exploited compromised OAuth tokens associated with the Drift chatbot’s integration with Salesforce. Google’s Threat Intelligence team attributed the attack to a threat group known as GRUB1, which systematically harvested credentials and conducted reconnaissance within Salesforce environments.

Impact on Major Companies

Cloudflare emerged as one of the most seriously affected companies. Between August 12 and August 17, a compromised OAuth token allowed attackers access to Cloudflare’s Salesforce case data. Findings from the investigation revealed that attackers successfully harvested metadata and ran queries against internal Salesforce objects, even exfiltrating customer support case texts via Salesforce’s Bulk API 2.0. Cloudflare’s internal tools later identified 104 compromised API tokens, all of which have since been rotated. The company described this incident as a significant failure in vendor oversight and has begun reevaluating their security policies related to third-party integrations.

Other Affected Organizations

Several other companies have also acknowledged the breach:

• Dynatrace confirmed that only its Salesforce CRM system, used for marketing purposes, was affected. The company reported that only limited business contact data was accessed and took immediate actions to deactivate Drift while engaging third-party forensic experts.

• Cato Networks swiftly revoked all Drift-related API access and initiated an internal investigation. They too found that the accessed data was limited to case metadata and contact information, with their security unit continuing to monitor the dark web for any signs of misuse.

• Bugcrowd reported unauthorized access to its Salesforce environment but noted that no vulnerability reports or crucial customer data were impacted. The company is collaborating with Salesforce and Salesloft to gauge the scope of the breach.

• BeyondTrust was informed of the breach and promptly revoked OAuth credentials while confirming no harmful impact beyond Salesforce occurred. Meanwhile, Zscaler acknowledged some exposure of Salesforce data, although no misuse has been identified.

Detailed Timeline of Events

A deeper dive into the incident reveals the meticulous approach taken by the attackers:

• August 9: GRUB1 attempted to validate an API token via Salesforce.
• August 12-14: Unauthorized access commenced, with the attacker exploring Salesforce schemas.
• August 17: The exfiltration of data through the Salesforce Bulk API 2.0 began using new infrastructure.
• August 20: Salesloft canceled all Drift OAuth credentials; however, Cloudflare had not yet received any alerts.
• August 23-25: Salesforce and Salesloft formally alerted their customers, triggering widespread revocations and internal containment measures.

The Growing Challenge of Supply Chain Attacks

This incident exemplifies the escalating risk presented by supply chain attacks, a concern that has grown increasingly vigilant. According to Cyble, the incidence rate of these attacks has doubled since April 2025, averaging 26 incidents monthly. Such attacks capitalize on the inherent trust in third-party integrations, frequently bypassing internal security protocols.

Further reports indicate that at least 20 industries were impacted by supply chain incidents in 2025, with some ransomware groups claiming large-scale data exfiltration from separate breaches.

Lessons Learned from the Salesloft Drift Incident

This breach serves as a critical reminder of the vulnerabilities associated with OAuth security and third-party risk management. Organizations should take proactive measures, including:

• Regularly rotating OAuth tokens and ensuring they are tightly scoped.
• Limiting and continuously auditing third-party access to enhance security.
• Centralizing visibility into integrated platforms to enforce least privilege access.
• Developing quick detection and revocation processes to mitigate OAuth-related threats.

In response to this incident, Salesforce has removed Drift from its AppExchange, while Google has disabled Drift’s OAuth integration with Workspace. Salesloft has emphasized the need for customers to revoke any old API keys and reauthenticate using new credentials.

This breach not only highlights current vulnerabilities but also points towards the necessity for rigorous security protocols in an increasingly interconnected digital landscape.