Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Salesloft Drift third-party API key revocation guidance

Advisory/Mitigation
First reported
Last updated
Happening score
H score 19
1 unique sources, 1 articles

Summary

Hide ▲

Salesloft issued proactive revocation guidance for third-party applications integrated with Drift via API key, reducing the risk of continued unauthorized access after the breach. The company said customers should revoke existing keys rather than keep using them. The advice follows a supply chain compromise that prompted broader containment actions around Drift. The scope covers organizations using Drift-connected third-party apps.

Related Happenings

ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps

Campaign
First: 21.11.2025 07:32 Last: 21.11.2025 07:32 Sources 1

About this happening: The **ShinyHunters (UNC6240)** campaign targeting **Gainsight-published applications connected to Salesforce** is expanding a multi-organization SaaS integration abuse pattern tha...

Open Happening

Google Workspace integration visibility and step-up controls against stolen OAuth tokens

Defensive Guidance
First: 08.10.2025 17:02 Last: 08.10.2025 17:02 Sources 1

About this happening: **Google Workspace** is responding to the **Salesloft Drift** token-abuse campaign by treating **all authentication tokens** stored in or connected to Drift as potentially comprom...

Open Happening

Red Hat Consulting exposure assessment and credential rotation advisory

Advisory/Mitigation
First: 02.10.2025 18:46 Last: 02.10.2025 18:46 Sources 1

About this happening: The **Centre for Cybersecurity Belgium (CCB)** urged organizations using **Red Hat Consulting** to rotate shared **tokens, keys, and credentials** after a consulting-related repos...

Open Happening

Salesloft hit by network compromise

Incident
First: 13.09.2025 12:04 Last: 13.09.2025 12:04 Sources 1

How related: Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account.

About this happening: **Salesloft/Drift** is a **token abuse incident** tied to a **GitHub account breach** at Salesloft that began as early as **March 2025** and led to compromise of the **Drift appli...

Open Happening

UNC6395 Salesloft Drift OAuth token theft campaign targeting Salesforce

Campaign
First: 29.08.2025 10:24 Last: 29.08.2025 10:24 Sources 1

How related: In the next phase, the attackers accessed Drift's Amazon Web Services (AWS) environment and obtained OAuth tokens for Drift customers' technology integrations, with the stolen OAuth tokens used to access data via Drift integrations.

About this happening: The **UNC6395** campaign is broader than first reported, with **Salesloft Drift OAuth tokens** now treated as potentially compromised across **all integrations**. Attackers used s...

Latest development: 08.09.2025 23:17

Salesloft said Mandiant determined UNC6395's intrusion into the company began as early as March with a compromised GitHub account, followed by data downloads from multiple Salesloft repositories and reconnaissance in the Salesloft and Drift environments between March and June. The intruders then reached Drift's Amazon Web Services (AWS) environment and stole OAuth tokens for Drift customers' technology integrations, extending the token-theft campaign beyond Salesforce.

Open Happening

Timeline

  1. 08.09.2025 18:26 1 articles · 8mo ago

    Salesloft isolates Drift and takes the application offline

    Mitigation Patch Update

    Salesloft isolated the Drift infrastructure, application, and code, took the application offline effective September 5, 2025 at 6 a.m. ET, rotated credentials in the Salesloft environment, and hardened segmentation controls between Salesloft and Drift applications.

    Show sources
    Open in new tab
  2. 08.09.2025 18:26 1 articles · 8mo ago

    Salesforce restores Salesloft integrations while Drift stays disabled

    Mitigation Patch Update

    Salesforce restored integrations with Salesloft technologies on September 7, 2025 at 5:51 p.m. UTC after temporarily suspending them on August 28, while the Drift app remained disabled until further notice as part of the security response.

    Show sources
    Open in new tab
  3. 08.09.2025 18:26 2 articles · 8mo ago

    Salesloft tells Drift-integrated apps to revoke existing API keys

    Mitigation Patch Update

    Salesloft recommended that all third-party applications integrated with Drift via API key proactively revoke existing keys to reduce the risk of continued unauthorized access after the compromise of its GitHub account.

    Show sources
    Open in new tab