UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data
Summary
Hide ▲
Show ▼
UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.
Timeline
-
04.09.2025 19:52 📰 1 articles · ⏱ 12d ago
Okta Prevents Salesforce Instance Breach with Enhanced Security Measures
Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Okta suggests that every SaaS vendor should support the ability to constrain the use of an access token by IP and by client to reduce the value of a stolen access token to an attacker. Okta advises that SaaS vendors should consider whether the permissions available for machine-to-machine integrations are granular enough to reduce the total loss of data arising from the theft of tokens.
Show sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
03.09.2025 19:40 📰 2 articles · ⏱ 13d ago
Workiva impacted by Salesforce data breach
The article reiterates that Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach. The attackers exfiltrated a limited set of business contact information from Workiva, including names, email addresses, phone numbers, and support ticket content. The breach, part of the ongoing Salesforce data theft campaign linked to the ShinyHunters extortion group, resulted in the exfiltration of a limited set of business contact information from Workiva. The incident highlights the broader impact of the Salesforce data breaches, affecting numerous high-profile companies and emphasizing the need for vigilance against potential spear-phishing attacks.
Show sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
03.09.2025 06:53 📰 2 articles · ⏱ 13d ago
Salesloft Temporarily Takes Drift Offline for Security Review
The article reiterates that Salesloft is temporarily taking Drift offline to comprehensively review the application and build additional security measures. The company is working with cybersecurity partners Mandiant and Coalition for incident response.
Show sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
02.09.2025 22:54 📰 3 articles · ⏱ 14d ago
Cloudflare Confirms Data Breach in Salesloft Drift Supply Chain Attack
The article reiterates that the threat actor used Salesloft integration credentials to access Cloudflare's Salesforce instance, ran queries for several days for reconnaissance, and launched a Salesforce Bulk API 2.0 job on August 17 to exfiltrate a database in roughly three minutes.
Show sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
01.09.2025 20:00 📰 3 articles · ⏱ 15d ago
UNC6395 Campaign Linked to ShinyHunters Extortion Group
The article reiterates that ShinyHunters has been targeting Salesforce customers in data theft attacks using voice phishing (vishing) since the start of the year. The extortion group has shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances. The threat actor extracted sensitive information, such as passwords, AWS access keys, and Snowflake tokens, from customer messages and support tickets.
Show sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
29.08.2025 10:24 📰 3 articles · ⏱ 18d ago
Google Workspace Email Accounts Accessed by UNC6395
The article reiterates that the Salesloft supply-chain attack impacted Drift Email, which is used to manage email replies and organize CRM and marketing automation databases. Attackers used stolen OAuth tokens to access Google Workspace email accounts and read emails as part of this breach. Google and Salesforce have temporarily disabled their Drift integrations pending the completion of an investigation.
Show sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
27.08.2025 22:05 📰 4 articles · ⏱ 20d ago
UNC6395 Campaign Unrelated to Previous ShinyHunters Vishing Attacks
The article reiterates that Google has not seen any compelling evidence connecting the Salesloft supply chain attacks to the ShinyHunters extortion group.
Show sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
27.08.2025 12:39 📰 9 articles · ⏱ 20d ago
UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data
Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach. The attackers exfiltrated a limited set of business contact information from Workiva, including names, email addresses, phone numbers, and support ticket content. The breach, part of the ongoing Salesforce data theft campaign linked to the ShinyHunters extortion group, resulted in the exfiltration of a limited set of business contact information from Workiva. The incident highlights the broader impact of the Salesforce data breaches, affecting numerous high-profile companies and emphasizing the need for vigilance against potential spear-phishing attacks.
Show sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
Information Snippets
-
UNC6395 targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application.
First reported: 27.08.2025 12:39📰 4 sources, 9 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The campaign was active from August 8 to 18, 2025, affecting over 700 organizations.
First reported: 27.08.2025 12:39📰 4 sources, 10 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor exported large volumes of data, including AWS access keys, passwords, and Snowflake tokens.
First reported: 27.08.2025 12:39📰 4 sources, 8 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
UNC6395 demonstrated operational security awareness by deleting query jobs to cover tracks.
First reported: 27.08.2025 12:39📰 4 sources, 8 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesloft identified the security issue on August 20, 2025, and revoked connections between Drift and Salesforce.
First reported: 27.08.2025 12:39📰 3 sources, 4 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesforce confirmed a small number of customers were impacted, and the issue stems from a compromise of the app's connection.
First reported: 27.08.2025 12:39📰 3 sources, 4 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesforce instances have been targeted by other financially motivated threat groups like UNC6040 and UNC6240.
First reported: 27.08.2025 12:39📰 3 sources, 3 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
UNC6395 is a new emerging cluster with no observed connections to other known groups.
First reported: 27.08.2025 12:39📰 2 sources, 2 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The campaign targeted security and technology companies, indicating a potential supply chain attack strategy.
First reported: 27.08.2025 12:39📰 4 sources, 5 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesloft has engaged Mandiant and Coalition for investigation and remediation efforts.
First reported: 27.08.2025 12:39📰 4 sources, 7 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Drift customers are advised to update API keys for connected integrations.
First reported: 27.08.2025 12:39📰 4 sources, 6 articlesShow sources
- Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data — thehackernews.com — 27.08.2025 12:39
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service.
First reported: 27.08.2025 22:05📰 3 sources, 4 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesforce removed the Drift application from the Salesforce AppExchange until further notice.
First reported: 27.08.2025 22:05📰 4 sources, 5 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances.
First reported: 27.08.2025 22:05📰 3 sources, 6 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor searched through the data to look for secrets that could be potentially used to compromise victim environments.
First reported: 27.08.2025 22:05📰 3 sources, 6 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
There is no evidence that logs were impacted, but organizations should still review relevant logs for evidence of data exposure.
First reported: 27.08.2025 22:05📰 2 sources, 4 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The campaign is unrelated to previous vishing attacks attributed to ShinyHunters.
First reported: 27.08.2025 22:05📰 3 sources, 6 articlesShow sources
- Google: Salesforce Attacks Stemmed From Third-Party App — www.darkreading.com — 27.08.2025 22:05
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
UNC6395 exploited OAuth tokens to access email from a small number of Google Workspace email accounts on August 9, 2025.
First reported: 29.08.2025 10:24📰 4 sources, 6 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Google revoked the specific OAuth tokens granted to the Drift Email application and disabled the integration functionality between Google Workspace and Salesloft Drift.
First reported: 29.08.2025 10:24📰 4 sources, 5 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Google notified impacted users and urged organizations using Salesloft Drift to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.
First reported: 29.08.2025 10:24📰 4 sources, 5 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesloft has revealed that Salesforce has temporarily disabled all Salesloft integrations with Salesforce.
First reported: 29.08.2025 10:24📰 4 sources, 5 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
There is no evidence of malicious activity detected in the Salesloft integrations related to the Drift incident.
First reported: 29.08.2025 10:24📰 4 sources, 4 articlesShow sources
- Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce — thehackernews.com — 29.08.2025 10:24
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Zscaler suffered a data breach after threat actors accessed its Salesforce instance through compromised Salesloft Drift credentials.
First reported: 01.09.2025 20:00📰 3 sources, 5 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The breach exposed customer information, including names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing and commercial information, and content from certain support cases.
First reported: 01.09.2025 20:00📰 3 sources, 5 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Zscaler has revoked all Salesloft Drift integrations to its Salesforce instance, rotated other API tokens, and strengthened customer authentication protocols.
First reported: 01.09.2025 20:00📰 3 sources, 5 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Some researchers believe the Salesloft Drift compromise overlaps with recent Salesforce data theft attacks by the ShinyHunters extortion group.
First reported: 01.09.2025 20:00📰 3 sources, 5 articlesShow sources
- Zscaler data breach exposes customer info after Salesloft Drift compromise — www.bleepingcomputer.com — 01.09.2025 20:00
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Palo Alto Networks was affected by the Salesloft Drift OAuth token breach, exposing customer data and support cases.
First reported: 02.09.2025 15:00📰 4 sources, 6 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The breach at Palo Alto Networks was limited to its Salesforce CRM and did not affect any products, systems, or services.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Palo Alto Networks confirmed that the incident was contained and the application was disabled from its Salesforce environment.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The attacker extracted business contact information, account records, and basic case data from Palo Alto Networks.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The exfiltrated support case data contained contact info and text comments but not technical support files or attachments.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The campaign targeted support cases to identify sensitive data such as authentication tokens, passwords, and cloud secrets.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case, and Opportunity records.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor deleted queries to hide evidence of the jobs they ran, likely as an anti-forensics technique.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor searched for secrets, including AWS access keys, Snowflake tokens, VPN and SSO login strings, and generic keywords like "password," "secret," or "key."
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actors used automated tools, including custom Python tools, to steal data.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actors mass-exfiltrated data from the Account, Contact, Case, and Opportunity Salesforce objects.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actors deleted logs and used Tor to obfuscate their origin.
First reported: 02.09.2025 15:00📰 3 sources, 4 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Palo Alto Networks revoked the associated tokens and rotated the credentials following the incident.
First reported: 02.09.2025 15:00📰 3 sources, 4 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Palo Alto Networks recommends Salesloft Drift customers investigate logs, review integrations, revoke and rotate credentials, and scan code repositories for embedded authentication keys or tokens.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Palo Alto Networks, Salesforce, and Google have disabled Drift integrations while the investigation continues.
First reported: 02.09.2025 15:00📰 4 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The supply chain attack has impacted other companies, including Zscaler and Google.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Since the beginning of the year, Salesforce has been the target of data theft attacks conducted by members associated with the ShinyHunters extortion group.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
In past attacks, the threat actors conducted voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Google has not seen any compelling evidence connecting the Salesloft supply chain attacks to the ShinyHunters extortion group.
First reported: 02.09.2025 15:00📰 3 sources, 5 articlesShow sources
- Palo Alto Networks data breach exposes customer info, support cases — www.bleepingcomputer.com — 02.09.2025 15:00
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Cloudflare was impacted by the Salesloft Drift supply-chain attack.
First reported: 02.09.2025 22:54📰 4 sources, 5 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The breach occurred between August 9 and 17, 2025.
First reported: 02.09.2025 22:54📰 4 sources, 5 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Cloudflare discovered the breach on August 23, 2025, and notified customers on September 2, 2025.
First reported: 02.09.2025 22:54📰 3 sources, 4 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Cloudflare rotated all 104 exfiltrated API tokens and found no suspicious activity.
First reported: 02.09.2025 22:54📰 3 sources, 4 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The exfiltrated data included customer contact information, support case data, and potentially sensitive information like access tokens.
First reported: 02.09.2025 22:54📰 3 sources, 4 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Cloudflare believes the incident was part of a broader campaign to harvest credentials and customer information for future attacks.
First reported: 02.09.2025 22:54📰 3 sources, 4 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor targeted support cases to identify sensitive data such as authentication tokens, passwords, and cloud secrets.
First reported: 02.09.2025 22:54📰 3 sources, 4 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Cloudflare advises customers to rotate any credentials shared through the compromised support system.
First reported: 02.09.2025 22:54📰 3 sources, 4 articlesShow sources
- Cloudflare hit by data breach in Salesloft Drift supply chain attack — www.bleepingcomputer.com — 02.09.2025 22:54
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesloft is temporarily taking Drift offline to review the application and build additional security measures.
First reported: 03.09.2025 06:53📰 4 sources, 4 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Salesloft is working with cybersecurity partners Mandiant and Coalition for incident response.
First reported: 03.09.2025 06:53📰 4 sources, 4 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The breach impacted additional companies including PagerDuty, Proofpoint, SpyCloud, and Tanium.
First reported: 03.09.2025 06:53📰 4 sources, 4 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Cloudflare suspects the threat actor will use harvested information to launch targeted attacks against affected organizations.
First reported: 03.09.2025 06:53📰 4 sources, 4 articlesShow sources
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor extracted business contact information, account records, and basic case data from Palo Alto Networks.
First reported: 03.09.2025 12:53📰 3 sources, 3 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The exfiltrated support case data contained contact info and text comments but not technical support files or attachments.
First reported: 03.09.2025 12:53📰 3 sources, 3 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The attacker used Salesloft integration credentials to access Cloudflare's Salesforce instance, ran queries for several days for reconnaissance, and launched a Salesforce Bulk API 2.0 job on August 17 to exfiltrate a database in roughly three minutes.
First reported: 03.09.2025 12:53📰 3 sources, 3 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor targeted support cases to identify sensitive data such as authentication tokens, passwords, and cloud secrets.
First reported: 03.09.2025 12:53📰 3 sources, 3 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Cloudflare suspects the threat actor will use the harvested information to launch targeted attacks against affected organizations.
First reported: 03.09.2025 12:53📰 3 sources, 3 articlesShow sources
- Security Firms Hit by Salesforce–Salesloft Drift Breach — www.securityweek.com — 03.09.2025 12:53
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The attackers exfiltrated a limited set of business contact information from Workiva, including names, email addresses, phone numbers, and support ticket content.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Workiva's customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, and Mercedes-Benz.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Workiva warned impacted customers to remain vigilant, as the stolen information could be used in spear-phishing attacks.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Workiva's cloud software helps collect, connect, and share data for financial reports, compliance, and audits.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The incident was part of the recent wave of Salesforce data breaches linked to the ShinyHunters extortion group.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
ShinyHunters has been targeting Salesforce customers in data theft attacks using voice phishing (vishing) since the start of the year.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The extortion group has shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
The threat actor extracted sensitive information, such as passwords, AWS access keys, and Snowflake tokens, from customer messages and support tickets.
First reported: 03.09.2025 19:40📰 2 sources, 2 articlesShow sources
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework.
First reported: 04.09.2025 19:52📰 1 source, 1 articleShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.
First reported: 04.09.2025 19:52📰 1 source, 1 articleShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Palo Alto Networks' Unit 42 recommends organizations conduct an immediate log review for signs of compromise and review and rotate exposed credentials.
First reported: 04.09.2025 19:52📰 1 source, 1 articleShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Okta suggests that every SaaS vendor should support the ability to constrain the use of an access token by IP and by client to reduce the value of a stolen access token to an attacker.
First reported: 04.09.2025 19:52📰 1 source, 1 articleShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
-
Okta advises that SaaS vendors should consider whether the permissions available for machine-to-machine integrations are granular enough to reduce the total loss of data arising from the theft of tokens.
First reported: 04.09.2025 19:52📰 1 source, 1 articleShow sources
- Blast Radius of Salesloft Drift Attacks Remains Uncertain — www.darkreading.com — 04.09.2025 19:52
Similar Happenings
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
Supply Chain Attack Targeting npm Registry Compromises 40 Packages
A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Salesloft Disables Drift Following OAuth Token Theft
Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.
Model Namespace Reuse Attack Demonstrated Against Google, Microsoft, and Open Source Projects
A new AI supply chain attack method, Model Namespace Reuse, has been demonstrated against Google, Microsoft, and open source projects. This method involves threat actors registering names associated with deleted or transferred models on platforms like Hugging Face, enabling them to deploy malicious AI models and achieve arbitrary code execution. The attack was successfully demonstrated on Google’s Vertex AI and Microsoft’s Azure AI Foundry platforms, as well as on thousands of open source repositories. The attack exploits the fact that developers reference models by name, allowing attackers to register the names of deleted or transferred models and deploy malicious versions. This can lead to unauthorized access to underlying infrastructure and initial access points into user environments. Google, Microsoft, and Hugging Face have been notified, and Google has started daily scans to mitigate the risk. However, the core issue remains a threat to any organization that pulls models by name alone.