The attack on **Salesloft** began with the compromise of an internal **GitHub repository**, where attackers stole a high-privilege **OAuth token** granting access to its **Drift cloud application**. Exploiting Drift’s trusted integrations, the attackers pivoted to **Salesforce instances** of multiple high-profile customers—including **Palo Alto Networks, Cloudflare, Zscaler, and Tenable**—exfiltrating **customer conversation data, contact details, and sensitive business information**. The breach exposed a **supply-chain vulnerability**, where a single compromised AI-powered integration (Drift’s chatbot) enabled mass data theft across **700+ organizations**, including cybersecurity leaders. The attackers also harvested **OpenAI API credentials**, demonstrating the cascading risks of interconnected AI ecosystems. While companies like **Okta** mitigated damage via **IP allow-listing**, others faced **reputational harm, forensic costs, and erosion of customer trust**. The incident highlighted critical gaps in **third-party risk management, token security, and AI integration monitoring**, with long-term implications for enterprise security postures.
Source: https://www.trendmicro.com/en_us/research/25/i/ai-app-breach.html
TPRM report: https://www.rankiteo.com/company/salesloft
"id": "sal2862828092525",
"linkid": "salesloft",
"type": "Breach",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '700+ (Indirectly via Drift '
'Integration)',
'industry': 'Sales Engagement Platform',
'name': 'Salesloft',
'type': 'SaaS Provider'},
{'customers_affected': '700+ (Directly via Salesforce '
'Integrations)',
'industry': 'Conversational Marketing/AI Chatbots',
'name': 'Drift',
'type': 'SaaS Provider'},
{'industry': 'Cybersecurity/Web Infrastructure',
'name': 'Cloudflare',
'type': 'Public Company'},
{'industry': 'Cybersecurity',
'name': 'Palo Alto Networks',
'type': 'Public Company'},
{'industry': 'Cybersecurity/Cloud Security',
'name': 'Zscaler',
'type': 'Public Company'},
{'industry': 'Cybersecurity/Vulnerability Management',
'name': 'Tenable',
'type': 'Public Company'},
{'industry': 'Cybersecurity/Email Security',
'name': 'Proofpoint',
'type': 'Public Company'},
{'industry': 'Cybersecurity/Identity Protection',
'name': 'SpyCloud',
'type': 'Private Company'},
{'customers_affected': '0 (Attack Attempted but '
'Blocked)',
'industry': 'Identity Management',
'name': 'Okta',
'type': 'Public Company'}],
'attack_vector': ['Compromised GitHub Repository',
'Stolen OAuth Token',
'Privilege Escalation via Drift Integration',
'AI-Powered Data Exfiltration'],
'customer_advisories': ['Security Bulletins',
'Remediation Guidance',
'Compromised Data Notifications'],
'data_breach': {'data_exfiltration': ['Confirmed (Systematic via Salesforce '
'Integrations)'],
'file_types_exposed': ['Conversation Logs',
'Contact Databases',
'API Tokens',
'Potentially Calendar/Email Data'],
'personally_identifiable_information': ['Names',
'Email Addresses',
'Potentially Phone '
'Numbers',
'Business Roles'],
'sensitivity_of_data': ['High (PII, Business Communications, '
'Authentication Tokens)'],
'type_of_data_compromised': ['Customer Conversation Logs',
'Contact Information',
'API Credentials',
'Salesforce Data']},
'description': 'A sophisticated cyberattack began with the compromise of '
"Salesloft's internal GitHub repository, where attackers stole "
"an OAuth token granting privileged access to Salesloft's "
'Drift account. This access was leveraged to exfiltrate data '
'from connected Salesforce instances of over 700 '
'organizations, including major cybersecurity firms like '
'Cloudflare, Palo Alto Networks, and Zscaler. The breach '
"exploited AI integrations' broad data access patterns and "
'trust-based architectures, highlighting vulnerabilities in '
'modern AI ecosystems. Okta was spared due to IP allow-listing '
'controls.',
'impact': {'brand_reputation_impact': ['Severe (Especially for Cybersecurity '
'Firms)',
'Loss of Customer Trust',
'Increased Scrutiny of AI Security '
'Practices'],
'customer_complaints': ['Expected (Not Quantified)'],
'data_compromised': ['Customer Conversation Data',
'Contact Information',
'Authentication Tokens (Including OpenAI API '
'Credentials)',
'Salesforce Instance Data'],
'identity_theft_risk': ['High (Due to PII in Conversation Data)'],
'legal_liabilities': ['Potential Regulatory Fines',
'Contractual Breach Claims',
'Litigation Risk'],
'operational_impact': ['Forensic Investigations',
'Customer Trust Erosion',
'Integration Audits',
'Security Control Overhauls'],
'payment_information_risk': ['Low (Not Explicitly Mentioned)'],
'systems_affected': ['Salesloft GitHub Repositories',
'Drift Cloud Application',
'Connected Salesforce Instances',
'OpenAI API Integrations']},
'initial_access_broker': {'backdoors_established': ['Stolen OAuth Token for '
'Drift Access'],
'entry_point': 'Salesloft Internal GitHub '
'Repository',
'high_value_targets': ['Drift Cloud Application',
'Connected Salesforce '
'Instances',
'OpenAI API Credentials'],
'reconnaissance_period': 'March-June 2025 (3-4 '
'Months)'},
'investigation_status': 'Ongoing (Forensic Analysis and Impact Assessment)',
'lessons_learned': ['AI integrations expand attack surfaces beyond '
'traditional perimeters',
'Trust-based architectures create detection blind spots '
'for AI-powered exfiltration',
'Authentication tokens for AI systems must be treated as '
'crown jewels',
'IP allow-listing and geographic restrictions are '
'critical for high-privilege AI tokens',
'Integration lifecycle management is essential to prevent '
'stale credential exposure',
'AI behavior baselining is necessary to detect anomalous '
'data access patterns',
'Third-party AI vendors introduce supply chain risks that '
'require defense-in-depth'],
'motivation': ['Data Theft',
'Espionage',
'Financial Gain (Potential)',
'Supply Chain Disruption'],
'post_incident_analysis': {'corrective_actions': ['Mandatory IP allow-listing '
'for all integration tokens',
'Implementation of '
'just-in-time access for AI '
'systems',
'Enhanced credential '
'rotation policies with '
'automated enforcement',
'AI-specific anomaly '
'detection for data access '
'patterns',
'Supply chain security '
'reviews for all AI vendors',
'Integration lifecycle '
'management automation',
'Zero-trust architecture '
'adoption for AI ecosystems',
'Reduced token permissions '
'to least-privilege for AI '
'integrations'],
'root_causes': ['Insufficient protection of '
'high-privilege credentials in '
'GitHub repositories',
'Lack of IP restrictions on OAuth '
'tokens',
'Over-permissive API access for AI '
'integrations',
'Failure to deactivate former '
'customer (SpyCloud) credentials',
'Detection gaps for AI-powered '
'data exfiltration patterns',
'Inadequate segmentation between '
'AI systems and core business '
'data']},
'ransomware': {'data_exfiltration': ['Confirmed (But Not '
'Ransomware-Related)']},
'recommendations': ['Implement IP allow-listing for all AI integration tokens',
'Enforce geographic restrictions on API access',
'Use time-based access windows for sensitive integrations',
'Segment networks processing sensitive data via AI '
'applications',
'Rotate OAuth tokens and API keys automatically with '
'short lifespans',
'Store high-privilege credentials in encrypted vaults or '
'HSMs',
'Monitor for unusual AI data consumption patterns '
'(spikes, off-hours, unusual sources)',
'Audit integration lifecycles to deactivate unused or '
'former vendor connections',
'Treat AI vendors as part of your critical supply chain '
'with corresponding security reviews',
'Adopt zero-trust principles for AI system '
'authentications',
'Conduct red-team exercises specifically targeting AI '
'integration pathways'],
'references': [{'source': 'Incident Analysis Report (Hypothetical)'}],
'regulatory_compliance': {'legal_actions': ['Expected (Not Yet Filed)'],
'regulations_violated': ['Potential GDPR (for EU '
'Customer Data)',
'CCPA (for California '
'Residents)',
'Industry-Specific '
'Compliance Standards'],
'regulatory_notifications': ['Likely Required (Not '
'Confirmed)']},
'response': {'communication_strategy': ['Public Disclosures',
'Customer Advisories',
'Transparency Reports'],
'containment_measures': ['Token Revocation',
'Access Restrictions',
'IP Allow-Listing (Okta)'],
'enhanced_monitoring': ['AI Behavior Baselining',
'Anomaly Detection for Data Access '
'Patterns'],
'incident_response_plan_activated': ['Forensic Investigations',
'Customer Notifications',
'Integration Audits'],
'network_segmentation': ['Recommended for AI Applications'],
'recovery_measures': ['System Restorations',
'Customer Trust Rebuilding'],
'remediation_measures': ['Credential Rotation',
'Integration Lifecycle Reviews',
'Security Control Enhancements'],
'third_party_assistance': ['Likely (Not Specified)']},
'stakeholder_advisories': ['Customer Notifications Issued',
'Industry-Wide Alerts Recommended'],
'title': 'AI-Powered Supply Chain Attack via Compromised Salesloft-Drift '
'Integration (2025)',
'type': ['Supply Chain Attack',
'Data Breach',
'Unauthorized Access',
'AI Integration Exploitation'],
'vulnerability_exploited': ['Improper Credential Management',
'Over-Permissive API Access',
'Lack of IP Restrictions on Tokens',
'Insufficient Integration Lifecycle Management']}