Salesloft’s Drift platform a widely used AI-powered chatbot and marketing SaaS tool was compromised in a large-scale supply chain attack by the threat cluster UNC6395 (GRUB1). Attackers exploited stolen OAuth and refresh tokens tied to Drift to breach over 700 organizations, primarily by infiltrating their Salesforce instances and potentially other integrated platforms. The breach enabled mass theft of authentication tokens, exposing customer credentials and sensitive data for future targeted attacks. Salesloft responded by temporarily taking Drift offline to mitigate risks, while Salesforce preemptively disabled all Salesloft integrations. Companies like Cloudflare confirmed the incident was part of a coordinated campaign to harvest credentials for follow-on attacks. The initial access vector remains undisclosed, but the scale suggests systemic vulnerabilities in Drift’s security architecture, risking long-term reputational damage, financial fraud, and operational disruptions across affected enterprises.
Source: https://thehackernews.com/2025/09/salesloft-takes-drift-offline-after.html
TPRM report: https://www.rankiteo.com/company/drift
"id": "dri514090325",
"linkid": "drift",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '700+ Organizations',
'industry': 'Sales Engagement/Marketing',
'name': 'Salesloft',
'type': 'SaaS Provider'},
{'customers_affected': '700+ Organizations (Indirectly)',
'industry': 'Marketing Technology',
'name': 'Drift (via Salesloft Integration)',
'type': 'AI Chatbot Platform'},
{'industry': 'Multiple (Including Cloudflare)',
'location': 'Global',
'name': 'Salesforce Customers (via Drift Integration)',
'type': ['B2B', 'B2C']}],
'attack_vector': ['Compromised OAuth Tokens',
'Refresh Token Theft',
'Third-Party Application (Drift) Exploitation'],
'customer_advisories': ['Potential Future Targeted Attacks Warned by '
'Cloudflare'],
'data_breach': {'data_exfiltration': ['Confirmed (Tokens)',
'Suspected (Customer Data)'],
'personally_identifiable_information': ['Potential (If '
'Customer Data '
'Accessed)'],
'sensitivity_of_data': ['High (Tokens Enable System Access)',
'Potentially PII if Customer Data '
'Exfiltrated'],
'type_of_data_compromised': ['Authentication Tokens',
'Potential Customer Data']},
'date_detected': '2025-08-18',
'date_publicly_disclosed': '2025-08-20',
'description': 'Salesloft announced taking Drift temporarily offline due to a '
'far-reaching supply chain attack targeting the marketing SaaS '
'product. The attack involved the mass theft of authentication '
'tokens (OAuth and refresh tokens) associated with Drift’s AI '
'chat agent, compromising Salesforce instances of over 700 '
'organizations. The threat actor, UNC6395 (aka GRUB1), '
'exploited these tokens to breach customer systems between '
'August 8–18, 2025. Salesloft is collaborating with Mandiant '
'and Coalition for incident response. Salesforce disabled all '
'Salesloft integrations as a precaution. The initial access '
'vector remains unknown, but the attack is suspected to enable '
'future targeted credential harvesting and customer data '
'theft.',
'impact': {'brand_reputation_impact': ['Loss of Trust in SaaS Security',
'Potential Customer Churn'],
'data_compromised': ['Authentication Tokens (OAuth/Refresh)',
'Customer Data (Potential)',
'Salesforce Instance Access'],
'downtime': ['Drift Chatbot Unavailable',
'Salesloft-Drift Integrations Disabled Temporarily'],
'identity_theft_risk': ['High (Due to Stolen Credentials)'],
'operational_impact': ['Disruption of Customer Support Channels',
'Incident Response Coordination Overhead'],
'systems_affected': ['Salesloft Drift',
'Salesforce Customer Instances',
'Platforms Integrated with Drift']},
'initial_access_broker': {'data_sold_on_dark_web': ['Potential (Stolen '
'Tokens/Credentials)'],
'high_value_targets': ['Salesforce Customer '
'Instances',
'Drift-Integrated '
'Platforms']},
'investigation_status': 'Ongoing (Initial Access Vector Unknown)',
'motivation': ['Credential Harvesting',
'Future Targeted Attacks',
'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['System Resiliency '
'Enhancements',
'Token Management Review'],
'root_causes': ['Weak Token Security in Drift '
'Integration',
'Supply Chain Vulnerability']},
'ransomware': {'data_exfiltration': ['Tokens (Confirmed)',
'Customer Data (Suspected)']},
'references': [{'source': 'The Hacker News'},
{'date_accessed': '2025-08-20',
'source': 'Salesloft Public Announcement'},
{'source': 'Google Threat Intelligence Group (GTIG) & Mandiant '
'Report'}],
'response': {'communication_strategy': ['Public Announcement',
'Customer Advisories (Implied)'],
'containment_measures': ['Temporarily Taking Drift Offline',
'Disabling Salesloft-Salesforce '
'Integrations'],
'incident_response_plan_activated': True,
'remediation_measures': ['Comprehensive Application Review',
'Building Additional Resiliency in '
'Drift System'],
'third_party_assistance': ['Mandiant', 'Coalition']},
'stakeholder_advisories': ['Salesforce Integration Disabled',
'Drift Chatbot Unavailable'],
'threat_actor': ['UNC6395', 'GRUB1'],
'title': 'Supply Chain Attack on Salesloft Drift Leading to Mass Theft of '
'Authentication Tokens',
'type': ['Supply Chain Attack', 'Data Theft', 'Credential Harvesting'],
'vulnerability_exploited': ['Weak Token Management in Drift Integration',
'Lateral Movement via Salesforce OAuth']}