A recent breach of the Salesloft-Drift integration allowed attackers to steal OAuth tokens and access Salesforce data at major companies like Cloudflare, Zscaler, and Palo Alto Networks.
In August 2025, attackers exploited a vulnerability in Salesloft’s integration with the Drift AI chatbot to siphon data from several tech companies. When hackers obtained Drift’s OAuth tokens, they retrieved business contact information and support ticket contents from those Salesforce environments.
Understanding Salesloft and the Drift Chatbot
Salesloft is a cloud-based sales platform used by over 5,000 companies for lead management. It integrated Drift, an AI chatbot, to engage visitors and sync leads into Salesforce using OAuth authentication. Drift’s use of OAuth 2.0 tokens means it can upload lead data to Salesforce without exposing user passwords.
How the Breach Unfolded
Salesloft reported a security issue in the Drift application on August 20, 2025. Google’s Threat Intelligence Group confirmed that threat actors (tracked as UNC6395) had stolen those Drift OAuth tokens and used them to exfiltrate data from hundreds of Salesforce instances. Using the stolen tokens, the attackers ran Salesforce queries to search for secrets like AWS access keys, Snowflake tokens and passwords.
Google warned that the breach extended beyond Salesforce. The stolen tokens could reach dozens of other cloud services. GTIG advised organizations to assume their data was compromised and to invalidate all connected tokens and keys. Salesforce itself quickly blocked the Drift integration to contain the damage.
Impact on Major Tech Companies
Several companies confirmed that attackers used the compromised Drift tokens to access their Salesforce data:
- Cloudflare: The provider said attackers accessed its Salesforce support case system (Aug 12–17) and downloaded customer support tickets (case objects with email correspondence and contact info). Cloudflare found 104 API tokens in the stolen data; none were misused, and all were rotated out of caution. The company said its own services were not affected.
- Zscaler: The cloud security firm reported that attackers reached its Salesforce via the Drift integration. Only basic contact and license data were exposed. Zscaler revoked the Drift connection and rotated related API keys, noting that no products, services or customer systems were harmed.
- Palo Alto Networks: The cybersecurity company’s incident response team confirmed attackers accessed its Salesforce CRM using the stolen tokens. They exfiltrated business contact information and case notes. Palo Alto said none of its core products or systems were compromised and is notifying any affected customers.
In total, hundreds of organizations were targeted during this campaign. Google’s investigation indicated roughly 700+ Salesforce instances could have been reached. While not every Salesloft customer was impacted, the incident shows how a breach in one vendor’s integration can cascade across many enterprises.
Broader Implications for SaaS Security
Experts warn this incident highlights the dangers of third-party SaaS integrations. AppOmni’s Cory Michal noted these breaches “raise the stakes well beyond typical SaaS compromises,” particularly because support tickets can contain sensitive data like API keys and credentials.
The attack also illustrates “authorization sprawl,” where attackers abuse legitimate OAuth/SSO tokens to move laterally. As one analyst explained, by using stolen tokens the attackers effectively “use the resources already available to them as authorized users,” bypassing traditional malware or phishing methods.
Key Takeaways and Response Steps
- Revoke Compromised Tokens: Immediately invalidate any OAuth tokens or API keys tied to the Salesloft-Drift integration. Google and responders stressed that all such tokens must be treated as compromised and replaced.
- Audit Third-Party Integrations: Review and limit permissions for external applications. Remove unused integrations. In this breach, disabling the vulnerable Drift connector after discovery was critical to stopping further access.
- Monitor Anomalous Activity: Enable logging and alerts for unusual data exports or API calls in critical systems (CRM, support portals, etc.). Unexpected query patterns can indicate stolen tokens in use.
- Vendor Risk Management: Stay informed about security issues at your vendors. For example, Okta confirmed it was targeted by this attack but blocked the attempt, since the stolen token was used from an unrecognized IP address.
- Incident Preparedness: Develop response plans for token/API breaches. Since this attack involved valid credentials rather than malware, playbooks should include steps to rapidly cut off API-based intrusions and rotate keys.
The Salesloft-Drift breach is a stark reminder that even minor SaaS add-ons can become critical attack vectors. By compromising a seemingly small chatbot integration, attackers managed to expose sensitive data at major companies. Cybersecurity teams should treat every OAuth token, API key and service connection as a potential risk, with strict controls and incident response plans in place.
