Massive data breach compromises over 700 organizations through Salesloft Drift OAuth token compromise
Take action: If you used the Drift chat application with Salesforce, assume your Salesforce data has been compromised and stolen. Immediately rotate all passwords, revoke and regenerate all API keys (especially AWS, Snowflake, VPN credentials), and review your access logs for any suspicious activity.
Learn More
Google Threat Intelligence Group (GTIG) is reporting a data theft campaign that compromised hundreds of Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party AI chat application.
The campaign systematically targeted Salesforce environments between August 8 and August 18, 2025. The attack did not exploit any vulnerability within the core Salesforce platform. Instead, it relied on compromised OAuth tokens from Salesloft Drift, a third-party AI chatbot integrated with Salesforce for sales and marketing operations.
The threat actors used the stolen OAuth credentials to systematically export large volumes of corporate data from the respective Salesforce instances.
GTIG is aware of over 700 potentially impacted organizations even though Salesforce characterized the impact as affecting only "a small number of customers" and stated that all affected organizations were directly notified.
Security experts have noted that many of the targeted organizations were themselves security and technology companies. The primary intent of the campaign was credential harvesting. The attackers searched the exfiltrated data for:
- AWS access keys (AKIA) - Amazon Web Services long-term access key identifiers
- Passwords - Various authentication credentials stored in Salesforce objects
- Snowflake-related access tokens - Data warehouse platform credentials
- VPN and SSO login credentials - Organization-specific authentication URLs
- API keys and secrets - Various service credentials stored within Salesforce fields
- User account information - Including usernames, emails, login dates, and profile data
- Customer case data - Support tickets and related sensitive information
- Business opportunity data - Sales pipeline and customer interaction records
The method by which the OAuth tokens were initially compromised from Salesloft's systems has not been disclosed.
On August 20, 2025, Salesloft collaborated with Salesforce to revoke all active access and refresh tokens associated with the Drift application. Additionally, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending investigation.
Salesloft has engaged third-party digital forensics and incident response (DFIR) firms including Mandiant and Coalition to assist in their investigation and ensure appropriate remediation steps.
The incident did not affect customers who do not use the Drift-Salesforce integration. However, organizations that did use this integration are advised to consider their Salesforce data compromised and rotate credentials, revoke API keys, and review logs.
Update - As of 3rd of September 2025, Salesloft announced it is taking Drift offline temporarily to conduct a comprehensive security review and rebuild system resilience. The shutdown will disable Drift chatbots on customer websites while the company addresses the currently undisclosed security vulnerabilities that enabled the breach.
As of 7th of September 2025, Mandiant reports first findings of the investigation into the Drift breach: A threat actor compromised Salesloft's GitHub account from March to June 2025, downloading repository content and conducting reconnaissance activities. The attacker also breached Drift's AWS environment to steal the OAuth tokens that provided unauthorized access to customers' Salesforce instances. Given this activity it's possible that the attackers compromised a seniot engineer's device or credentials to access the systems.
