What happened to HackerOne in the supply chain attack?

HackerOne, a vulnerability coordination and bug bounty platform, was affected by a sophisticated supply chain attack that compromised its Salesforce environment through a third-party application. The attack was caused by compromised OAuth tokens associated with Salesloft's Drift application, which enabled unauthorized actors to access connected Salesforce instances.

What is HackerOne and what services do they provide?

HackerOne is a vulnerability coordination and bug bounty platform that connects organizations with security researchers to identify and resolve security vulnerabilities. The platform facilitates responsible disclosure of security issues and manages bug bounty programs for companies worldwide.

What data was exposed in the HackerOne attack?

The exposed data includes general Salesforce contact records, standard account details and information, business correspondence and communications, and administrative and operational data.

How many people were affected by the HackerOne breach?

The number of affected individuals has not been disclosed by HackerOne.

What is Salesloft's Drift application?

Salesloft's Drift application is a third-party tool that integrates with Salesforce environments to provide sales and customer engagement capabilities. The compromise of OAuth tokens associated with this application enabled the broader supply chain attack.

What makes this attack a 'supply chain attack'?

This is considered a supply chain attack because the compromise occurred through a trusted third-party application (Salesloft's Drift) that had legitimate access to multiple organizations' Salesforce environments. Attackers exploited this trust relationship to access downstream customers.

Were OAuth tokens the primary attack vector?

Yes, the attack was specifically caused by compromised OAuth tokens associated with Salesloft's Drift application. These tokens provided the unauthorized actors with legitimate-appearing access to connected Salesforce instances across multiple organizations.

What does this breach mean for the broader cybersecurity community?

This breach is particularly significant because it affects HackerOne, a major platform in the cybersecurity community. While sensitive vulnerability data wasn't compromised, it highlights the risks of supply chain attacks even for security-focused organizations and the importance of third-party risk management.

How widespread was the overall supply chain attack?

According to Google Threat Intelligence Group assessments, this supply chain attack impacted over 700 organizations globally, making it one of the more significant widespread cybersecurity incidents involving third-party application compromise.

Incident

HackerOne reports data breach through third-party Salesforce Drift Integration

Q: How did the supply chain attack on HackerOne occur?

The attack was caused by a compromise of OAuth tokens associated with Salesloft's Drift application, which enabled unauthorized actors to access connected Salesforce instances across multiple organizations, including HackerOne's environment.

Q: Were vulnerability submissions compromised in the HackerOne breach?

No, HackerOne claims that no customer vulnerability submissions, private security reports, exploit details, proof-of-concept code, or vulnerability assessments were exposed in the incident. The breach was limited to general Salesforce data.

Q: Is this HackerOne incident part of a larger attack?

Yes, this incident represents part of a much larger supply chain attack that impacted over 700 organizations globally, according to Google Threat Intelligence Group assessments, making it a significant widespread cybersecurity incident.

published: Sept. 11, 2025

Learn More

HackerOne, a vulnerability coordination and bug bounty platform, reports it was affected by a sophisticated supply chain attack that compromised its Salesforce environment through a third-party application.

The cause of the attack was a compromise of OAuth tokens associated with Salesloft's Drift application, which enabled unauthorized actors to access connected Salesforce instances across multiple organizations.

HackerOne was initially notified of the potential compromise by Salesforce on Friday, August 22, 2025, with confirmation from Salesloft following on August 23, 2025. Exposed data includes:

General Salesforce contact records
Standard account details and information
Business correspondence and communications
Administrative and operational data

The number of affected individuals is not disclosed.

HackerOne disabled the affected Drift integration and engaged external forensic experts to verify the complete extent of the breach and ensure no residual unauthorized access remained. The company claims that no customer vulnerability submissions, private security reports, exploit details, proof-of-concept code, or vulnerability assessments were exposed in the incident.

This incident represents part of a much larger supply chain attack that impacted over 700 organizations globally, according to Google Threat Intelligence Group assessments.

HackerOne reports data breach through third-party Salesforce Drift Integration

Read More
Ransomware attack on NHS technology provider DXS International …
Adidas Korea customer info exposed through third-party breach
Swiss Air Force documents exposed via cyber attack …
Canadian Federal Government agencies hit by cyberattack through …
Sovos Compliance reports MOVEit related data breach