Articles & News

Summary

In August 2025, attackers stole OAuth tokens from Salesloft’s Drift chatbot integration and used them to access Salesforce data at hundreds of organizations. High-profile victims that disclosed impact include Zscaler, Palo Alto Networks, and Cloudflare. Exposed data varies by company, but often includes business contact info and support case details. The total blast radius is still being assessed. SecurityWeek, Google, Dark Reading

What Happened

According to Google’s Threat Intelligence team, investigators found that on August 28, 2025 the actor had compromised OAuth tokens for the “Drift Email” integration. Evidence shows the tokens were used as early as August 9 to access connected customers’ data via APIs. In some environments, the actor also accessed a small number of Google Workspace mailboxes that had been explicitly integrated with Drift. This was not a breach of Google or Salesforce core platforms, but abuse of trusted third-party tokens. Google Cloud

SecurityWeek reports that between August 8–18 the attackers used those compromised tokens to export large volumes of data from victims’ Salesforce instances. This affected hundreds of organizations. SecurityWeek

Who’s Affected (So Far)

• Zscaler disclosed that attackers accessed Salesforce data such as names, business emails, job titles, phone numbers, regional info, product licensing details, commercial info, and some support case content. Zscaler revoked Drift access and rotated tokens. ZscalerBleepingComputer
• Palo Alto Networks confirmed impact linked to the Drift app and said it disabled the integration and began customer notifications and containment steps. Palo Alto Networks
• Cloudflare said exposed items were limited to Salesforce case objects (subject lines, message bodies that sometimes contained tokens or logs) and basic customer contact details; it revoked the Drift account and rotated credentials. Salesforce Ben

Coverage continues to evolve; Dark Reading notes the full blast radius remains uncertain as more organizations complete investigations and publish notices. Dark Reading

How the Attack Worked (In Simple Terms)

OAuth tokens are like digital keys that apps use to access another service without repeatedly asking you to log in. If a token is stolen from one app (here, Salesloft Drift), an attacker can impersonate that app to pull data from other connected systems (for example, your Salesforce). That’s why this is called a supply-chain or third-party breach: the path into victims ran through a trusted vendor integration, not through the victims’ own login pages. Google Cloud

What Data Was Exposed?

Impact varies by company, but public statements point to business contact details and support case content. That kind of data can still be risky: it helps attackers craft phishing and social-engineering lures that look authentic (e.g., referencing a real ticket number or product). ZscalerSalesforce Ben

Why This Matters

• Scale: Hundreds of orgs integrated Drift with Salesforce, so a single vendor compromise cascaded across many targets. SecurityWeek
• Trust: OAuth tokens are designed to streamline access. When they’re misused, traditional password defenses don’t help. Google Cloud
• Follow-on Risk: Exposed support logs and contacts are perfect fuel for targeted spear-phishing against customers and employees. Zscaler

What Organizations Should Do Now

1. Revoke and rotate: Remove Drift/Salesloft connected apps and rotate all OAuth tokens/API keys tied to Salesforce and related services. Palo Alto NetworksZscaler
2. Audit connected apps: Review every Salesforce Connected App for scope and necessity; enforce least privilege permissions. Dark Reading
3. Log review: Inspect Salesforce Event Monitoring and API logs for abnormal export activity between Aug 8–18 (and beyond). SecurityWeek
4. Notify at-risk contacts: If support case content or contact lists were accessed, warn customers about phishing and implement stepped-up verification for support interactions. Zscaler
5. Vendor risk management: Establish processes for rapidly disabling integrations and rotating secrets when a third-party is compromised. Dark Reading

What Individuals Can Do

• Be cautious with unsolicited emails or calls referencing real ticket numbers or past support cases.
• Avoid clicking links in messages; go directly to the vendor portal you know.
• Enable multi-factor authentication (prefer app-based or security keys over SMS).
• Use a privacy tool that helps reduce tracking and alerts you if your data appears in breaches.

How Cyber Privacy Suite Can Help

While enterprises must fix their integrations, individuals and small teams can still reduce risk. Cyber Privacy Suite (Windows, Mac, Android, iOS) helps by:

• Blocking online tracking and cleaning digital footprints.
• Running Dark Web scans for signs your data appears in known breaches.
• Finding sensitive documents stored locally (IDs, bank details) so you can secure or remove them.
• Providing VPN protection on public Wi-Fi and optional camera/microphone blockers on mobile.
  These protections reduce the chances that stolen contact info leads to successful phishing, profile building, or account takeover. Learn more: https://shieldapps.com/products/cyber-privacy-suite/ . shieldapps.com+2shieldapps.com+2Google Play

References

• SecurityWeek — “Security Firms Hit by Salesforce–Salesloft Drift Breach” (Sept 3–4, 2025 updates). SecurityWeek
• Google Threat Intelligence — “Widespread Data Theft Targets Salesforce Instances via Salesloft Drift” (Aug 26, 2025, updated Aug 28). Google Cloud
• Zscaler — “Salesloft Drift Supply Chain Incident: Key Details and Zscaler’s Response” (Aug 30–Sept 1, 2025). Zscaler
• BleepingComputer — “Zscaler data breach exposes customer info after Salesloft Drift compromise” (Sept 1, 2025). BleepingComputer
• Palo Alto Networks — “Salesforce-Connected Third-Party Drift Application Incident Response” (Sept 2, 2025). Palo Alto Networks
• Dark Reading — “Blast Radius of Salesloft Drift Attacks Remains Uncertain” (Sept 4, 2025). Dark Reading
• SalesforceBen — “Cloudflare Confirms Salesforce Data Compromised via Salesloft Chatbot” (Sept 3, 2025). Salesforce Ben