PagerDuty confirmed a data breach after attackers exploited a vulnerability in Drift’s OAuth integration flow with Salesforce, gaining unauthorized access to its Salesforce account. The incident was initially flagged by Salesloft on August 20, 2025, with confirmation of the OAuth hijacking on August 23. While no PagerDuty credentials (usernames/passwords) were exposed, the breach may have compromised customer and contact data stored in Salesforce, including names, phone numbers, and email addresses.The company has disabled Salesloft Drift’s access to Salesforce and is investigating further, with no evidence yet of attackers accessing PagerDuty’s internal systems or platform. However, the exposed data heightens risks of phishing and social engineering attacks. PagerDuty has warned customers to stay vigilant, emphasizing that it will never request passwords or sensitive details via unsolicited calls.Collaborating with Salesloft, Salesforce, and Google Threat Intelligence, PagerDuty is reviewing security controls to prevent future incidents. Updates will be shared as the investigation progresses, with a commitment to transparency and customer protection.
Source: https://gbhackers.com/pagerduty-confirms-data-breach/
TPRM report: https://www.rankiteo.com/company/pagerduty
"id": "pag5523555090425",
"linkid": "pagerduty",
"type": "Breach",
"date": "5/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Incident Management / IT Operations',
'name': 'PagerDuty',
'type': 'Company'},
{'industry': 'Sales Engagement',
'name': 'Salesloft (Drift integration)',
'type': 'Third-Party Service'}],
'attack_vector': 'Exploitation of vulnerability in Drift’s OAuth integration '
'flow with Salesforce',
'customer_advisories': 'Warnings issued about increased phishing risks and '
'guidance on secure communication channels',
'data_breach': {'personally_identifiable_information': ['Names',
'Phone numbers',
'Email addresses'],
'sensitivity_of_data': 'Moderate (contact details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-08-20',
'date_publicly_disclosed': '2025-08-23',
'description': 'PagerDuty experienced a data breach following a compromise of '
'its Salesforce account, initiated through a vulnerability in '
'Drift’s OAuth integration flow with Salesforce. The incident '
'was first flagged by Salesloft on August 20, 2025, with '
'unauthorized access potentially exposing names, phone '
'numbers, and email addresses stored in Salesforce. PagerDuty '
'has disabled Salesloft Drift’s access to its Salesforce data '
'and is investigating further. No evidence suggests the '
'PagerDuty platform or internal systems were accessed beyond '
'Salesforce. Customers are advised to remain vigilant against '
'phishing and social engineering attacks.',
'impact': {'brand_reputation_impact': 'Potential risk due to exposure of '
'customer contact details and phishing '
'warnings',
'data_compromised': ['Names', 'Phone numbers', 'Email addresses'],
'identity_theft_risk': 'Increased risk of phishing and social '
'engineering attacks',
'systems_affected': ['Salesforce account']},
'initial_access_broker': {'entry_point': 'Drift’s OAuth integration flow with '
'Salesforce',
'high_value_targets': ['Salesforce account data '
'(names, phone numbers, '
'email addresses)']},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': ['Disabled Salesloft Drift’s '
'access to Salesforce',
'Reviewing security '
'controls',
'Strengthening OAuth '
'integration with '
'Salesloft'],
'root_causes': ['Vulnerability in Drift’s OAuth '
'integration flow',
'Unauthorized access via hijacked '
'authorization process']},
'recommendations': ['Customers should remain vigilant against phishing and '
'social engineering attacks',
'PagerDuty will never call customers to request passwords '
'or secure details; verify communications via official '
'channels',
'Review and strengthen OAuth integration processes for '
'third-party applications'],
'references': [{'source': 'Salesloft Trust Site'},
{'source': 'Salesforce Status Page'},
{'source': 'Google Cloud Blog (Threat Intelligence Group)'}],
'response': {'communication_strategy': ['Customer advisories',
'Official updates via recognized '
'support channels',
'Guidance on phishing risks'],
'containment_measures': ['Disabled Salesloft Drift’s access to '
'Salesforce data'],
'incident_response_plan_activated': True,
'remediation_measures': ['Reviewing security controls',
'Strengthening OAuth integration '
'process with Salesloft'],
'third_party_assistance': ['Salesloft',
'Salesforce',
'Google Threat Intelligence Group']},
'stakeholder_advisories': 'PagerDuty is providing updates and guidance as the '
'investigation progresses',
'title': 'PagerDuty Data Breach via Compromised Salesforce Account',
'type': ['Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': 'Drift’s OAuth integration flow vulnerability'}