SalesLoft Drift is an AI-powered chat tool which interacts with Salesforce and is used by a number of large business for providing automated business support to customers. Beginning on August 08th 2025, attackers were able to compromise this tool with the objective of performing data theft.

The attack meant that Oauth tokens used to connect to Salesforce were compromised. These tokens were then used in a variety of secondary attacks to steal information from affected Salesforce instances which used the tool.

The exact scope of the attacks remains unknown, however, several larger companies have declared that they are affected by the breach:

Cloudflare: "Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel."

Google: "Compromise of e-mail accounts which were configured to integrate with Salesloft"

PagerDuty: "a threat actor may have been able to gain unauthorized access to PagerDuty’s Salesforce account." "potential exposure of names, phone numbers, and email addresses"

SpyCloud: "At this time, the elements we believe were accessed are standard customer relationship management fields in Salesforce. Consumer data is not believed to have been accessed."

Tanium: "the threat actors had limited access to our Salesforce data" "Names, Business Email Addresses, Phone numbers, Regional/location references"

ZScaler: "we have determined that these credentials have allowed limited access to some Zscaler Salesforce information."

Palo Alto: "compromise of a third-party application, Salesloft’s Drift, resulted in the access and exfiltration of data stored in our Salesforce environment."

As seen with advisories published so far, the scope of this incident is large and is expected to affect more companies moving forward.

The first steps to respond to this breach should be to identify if SalesLoft Drift is in use at your organisation. If so, you may be directly affected by the breach and may require incident response support to conduct an investigation into it's extent.

If you do not use SalesLoft drift, but do use one of the companies above, or, use a company which you suspect may be affected, you may be indirectly affected. This means that information shared within support tickets may have been compromised. If this contains any credentials or authentication keys, these should be re-set immediately and an incident response investigation should be launched to determine if any services have been accessed by threat actors.

Otherwise, PII data being exposed, which appears to be the most common in the advisories shown above, should be treated using the normal process for notifying data subjects. It's a good idea to contact the 3rd party you believe may be affected to request details of investigations and outcomes. 

Integrity360 will monitor in the coming weeks for any new organisations which have been affected by this breach. If you would like to be contacted about any further updates to the situation, please contact your account manager quoting the "Salesloft data breach" and a member of the Incident Response team will be in touch. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.