How did attackers gain access to SpyCloud's customer data?

The compromised OAuth tokens allowed unauthorized access to Salesforce instances of organizations that had integrated Drift with their Salesforce systems. SpyCloud was previously a customer of Salesloft and Drift, making their Salesforce environment accessible through the compromised authentication tokens.

What types of data were exposed in the SpyCloud breach?

The exposed data includes standard customer relationship management fields in Salesforce, data relating to customer relationships with SpyCloud, business contact information and relationship details, and customer communication and interaction records stored within their CRM system.

How many SpyCloud customers were affected by the breach?

The number of affected SpyCloud customers or individuals has not been disclosed by the company. SpyCloud has not provided specific figures regarding the scope of customer relationship data that may have been compromised.

What should SpyCloud customers watch out for after this breach?

SpyCloud has advised customers to be careful with unusual communications, especially emails requesting passwords or related to payment terms. Given that business contact information was exposed, customers should be vigilant for social engineering attempts that may appear to come from legitimate sources.

Was this SpyCloud breach part of a larger attack campaign?

Yes, the SpyCloud breach was part of the widespread Salesloft Drift security incident that affected multiple organizations globally. The compromised OAuth tokens enabled attackers to access Salesforce environments across numerous companies that had integrated Drift with their CRM systems.

What makes this breach particularly concerning for an identity protection company?

As an identity threat protection company, SpyCloud specializes in helping organizations prevent identity-based attacks. The irony of a cybersecurity company being compromised through a supply chain attack demonstrates how sophisticated these threats have become and how even security-focused organizations can be vulnerable to third-party integration risks. However, the company's core protective services remained secure and operational.

Incident

SpyCloud confirms data exposure in Salesloft Drift supply chain attack

Q: What happened to SpyCloud in the Salesloft Drift security incident?

SpyCloud, an identity threat protection company, reported that customer relationship management data was potentially compromised as part of the widespread Salesloft Drift security incident. The incident was caused by hackers who targeted Salesforce customer instances through compromised OAuth authentication tokens associated with the Salesloft Drift application.

Q: Were SpyCloud's core security services affected by the breach?

No, SpyCloud claims that consumer data is not believed to have been accessed, and their core darknet monitoring and identity protection services are not affected by the incident. The breach was limited to customer relationship management data stored in their Salesforce environment.

published: Sept. 2, 2025

Learn More

SpyCloud, an identity threat protection company, is reporting that customer relationship management data was potentially compromised as part of the widespread Salesloft Drift security incident.

The incident was caused by hackers who targeted Salesforce customer instances through compromised OAuth authentication tokens associated with the Salesloft Drift application. SpyCloud was previously a customer of Salesloft and Drift.

The compromised tokens allowed unauthorized access to Salesforce instances of organizations that had integrated Drift with their Salesforce systems. Exposed data includes:

Standard customer relationship management fields in Salesforce
Data relating to customer relationships with SpyCloud
Business contact information and relationship details
Customer communication and interaction records

The number of affected SpyCloud customers or individuals has not been disclosed.

SpyCloud terminated token access and reviewed all systems and cloud-based tools for any aspects of Salesloft or Drift applications or integrations, deactivating all such integrations.

The company claims that consumer data is not believed to have been accessed, and their core darknet monitoring and identity protection services are not affected by the incident.

SpyCloud has advised customers to be careful with unusual communications, especially emails requesting passwords or related to payment terms. Customers who have concerns about communications claiming to be from SpyCloud, should contact security@spycloud.com or their designated customer success managers through verified channels.

SpyCloud confirms data exposure in Salesloft Drift supply chain attack

Read More
Hawaii Medical Service Administration reports third party data …
British Airways and BBC staff data stolen in …
Neighbourly social network offline after claims of data …
Infinite Campus Salesforce Breach Exposes School Staff Data
Cooler Master data breach exposing 500k customers