A sophisticated supply chain attack targeting the Salesloft Drift application has compromised Salesforce data from major cybersecurity companies, including Zscaler, Palo Alto Networks, and Astrix Security, highlighting critical vulnerabilities in third-party integrations.
The breach, first identified by Google's Threat Intelligence Group (GTIG) and attributed to threat actor UNC6395, exploited compromised OAuth tokens (authentication credentials) from Salesloft Drift between August 8-18, 2025. The attack specifically targeted corporate Salesforce environments to harvest sensitive credentials, including AWS access keys, passwords, and Snowflake database tokens.
"The threat actor executed queries to retrieve information associated with Salesforce objects such as Cases, Accounts, Users, and Opportunities," GTIG reported, noting the attackers demonstrated operational sophistication by deleting query jobs to cover their tracks.
The compromised data primarily included business contact information—names, email addresses, phone numbers, job titles, and regional details. Zscaler additionally reported exposure of "product licensing and commercial information" and "plain text content from certain support cases."
List of the Companies Affected by Salesloft Drift breach
Drift, a sales engagement platform acquired by Salesloft in 2024, integrates deeply with Salesforce CRM systems to automate sales workflows. The breach exploited this trusted relationship, allowing attackers to access customer Salesforce instances through hijacked OAuth authorization processes.
All affected companies have confirmed the breach was limited to their Salesforce data, with no evidence of access to core product platforms or internal systems. "No SpyCloud darknet data or systems related to our products were accessed," SpyCloud emphasized in their disclosure.
Salesforce and Salesloft responded swiftly on August 20, revoking all active tokens for the Drift application and temporarily removing it from Salesforce's AppExchange marketplace. "This issue does not stem from a vulnerability within the core Salesforce platform," Salesforce clarified.
The incident underscores growing risks in cloud-first environments where third-party integrations can become powerful attack vectors. Security experts recommend organizations immediately audit OAuth permissions, search Salesforce data for exposed credentials, and implement stricter access controls for third-party applications.
Given the exposure of contact information, affected companies warn customers to remain vigilant against potential phishing and social engineering attacks leveraging the compromised data.