Salesloft Drift Supply Chain Attack Affects Hundreds of Businesses – Source:levelblue.com

LevelBlue’s Security & Compliance Team is aware of the Salesloft vulnerability affecting Drift chatbot integrations. LevelBlue, and its affiliated entities, do not utilize Drift, and Salesforce has confirmed the incident did not impact clients without this integration. 

Based on current information, we confirm there has been no exposure or impact to us or our clients. Should new information arise that alters this assessment, we will provide an update directly.

For additional background on the vulnerability, Salesloft Drift, a third-party plugin for Salesforce to help automate contact and sales leads, was compromised between March to August 2025. The compromise exposed OAuth tokens that allowed the threat actor (attributed and tracked as UNC6395 by Google) to bypass authentication (including MFA) where Drift customers had integrated Drift with Salesforce. This gave the threat actors access to the Salesforce data of hundreds of organizations, including Google, Cisco, Adidas, Cloudflare, Zscaler, and Palo Alto Networks.

The Attack

The initial compromise began in March when the threat actor gained access through unknown means to the Salesloft GitHub account, downloading multiple private code repositories. The attacker maintained access through at least June. Leaked information allowed the threat actor to pivot to Drift’s AWS environment in early August, leveraging that access to steal OAuth tokens for Drift integrations.

The threat actor then used the OAuth tokens to access Drift’s customers’ Salesforce integrations, allowing the download and exfiltration of this data. In an attempt to evade forensics, the threat actor also deleted the logged records of the queries and export jobs.

As of September 9, the integration between Salesloft and Salesforce has been restored.

Conclusion

These types of attacks cause massive damage with only a single compromise, because they target the supply chain of major organizations instead of attacking the organizations directly. By compromising just one organization, Salesloft Drift, the threat actors were able to pivot that access to compromise hundreds of organizations.

It’s vital in this day and age to take an inventory of the third-party vendors your organization relies on and document the effect on your business if one of those suppliers is compromised. Finally, make sure that your suppliers are doing their due diligence to secure themselves.

The content provided herein is for general informational purposes only and should not be construed as legal, regulatory, compliance, or cybersecurity advice. Organizations should consult their own legal, compliance, or cybersecurity professionals regarding specific obligations and risk management strategies. While LevelBlue’s Managed Threat Detection and Response solutions are designed to support threat detection and response at the endpoint level, they are not a substitute for comprehensive network monitoring, vulnerability management, or a full cybersecurity program.