Salesforce experienced a data breach originating from a third-party provider, **SalesLoft**, specifically via its **Drift app**—an integration used for automated customer communications. The breach was executed by the hacker group **ShinyHunters**, who exploited compromised **GitHub credentials** at SalesLoft between **March and June**, stealing tokens linking Drift to Salesforce environments. This allowed attackers to infiltrate **Drift’s AWS environment**, obtaining **OAuth tokens** from multiple customer organizations, including **Cloudflare, Zscaler, Palo Alto Networks, and others**.The stolen data primarily included **customer contact details, basic IT support information, access tokens, and IT configuration details**. While Salesforce confirmed no direct vulnerability in its own systems, the breach exposed **CRM fields, support cases, and integration data** across **hundreds of affected organizations**. Salesforce refused to pay ransom demands, emphasizing a **no-negotiation stance** against extortion. The **Drift app remains disabled**, and affected customers were advised to **renew access tokens** to mitigate further risks. The full scope of impacted customers and long-term consequences remain undisclosed.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal3132231100825",
"linkid": "salesforce",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (Hundreds of '
'organizations)',
'industry': 'Cloud Computing / SaaS',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Enterprise (150,000+ employees)',
'type': 'CRM Provider'},
{'customers_affected': 'Unknown (Via Drift App)',
'industry': 'Sales Technology',
'location': 'Atlanta, Georgia, USA',
'name': 'SalesLoft',
'size': 'Mid-Large (500+ employees)',
'type': 'Sales Engagement Platform'},
{'industry': 'Cybersecurity',
'location': 'San Francisco, California, USA',
'name': 'Cloudflare',
'size': 'Enterprise',
'type': 'Web Infrastructure & Security'},
{'industry': 'Cybersecurity',
'location': 'San Jose, California, USA',
'name': 'Zscaler',
'size': 'Enterprise',
'type': 'Cloud Security'},
{'industry': 'Network Security',
'location': 'Santa Clara, California, USA',
'name': 'Palo Alto Networks',
'size': 'Enterprise',
'type': 'Cybersecurity'},
{'industry': 'Cybersecurity',
'location': 'Petah Tikva, Israel / Newton, '
'Massachusetts, USA',
'name': 'CyberArk',
'size': 'Enterprise',
'type': 'Privileged Access Security'},
{'industry': 'Cloud Data Protection',
'location': 'Palo Alto, California, USA',
'name': 'Rubrik',
'size': 'Mid-Large',
'type': 'Data Management & Security'},
{'industry': 'IT Infrastructure',
'location': 'San Jose, California, USA',
'name': 'Nutanix',
'size': 'Enterprise',
'type': 'Hybrid Cloud Computing'},
{'industry': 'Networking & 5G',
'location': 'Stockholm, Sweden',
'name': 'Ericsson',
'size': 'Enterprise',
'type': 'Telecommunications'},
{'industry': 'Software Development',
'location': 'Sunnyvale, California, USA',
'name': 'JFrog',
'size': 'Mid-Large',
'type': 'DevOps Platform'}],
'attack_vector': ['Compromised GitHub Account',
'Stolen OAuth Tokens',
'AWS Environment Infiltration',
'Third-Party App Exploitation (Drift)'],
'customer_advisories': ['Token renewal instructions',
'Support channels for affected organizations'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Unknown (Hundreds of '
'organizations affected)',
'personally_identifiable_information': ['Limited (Primarily '
'Corporate PII)'],
'sensitivity_of_data': ['Moderate (Corporate IT and Customer '
'Data)'],
'type_of_data_compromised': ['Customer Contact Details',
'IT Support Information',
'OAuth Tokens',
'IT Configurations',
'CRM Data',
'Support Cases']},
'description': 'Salesforce informed customers that it will not pay ransom to '
'hackers (ShinyHunters) threatening to publish stolen customer '
'data. The breach originated from a security incident at '
'third-party provider SalesLoft, specifically its Drift app '
'(integrated with Salesforce for automated customer '
'communications). Attackers accessed SalesLoft’s GitHub '
'account (March–June), stole OAuth tokens linking Drift to '
'Salesforce environments, and penetrated Drift’s AWS '
'environment to exfiltrate data from hundreds of '
'organizations, including Cloudflare, Zscaler, and Palo Alto '
'Networks. Stolen data included customer contact details, IT '
'support info, access tokens, and IT configurations. '
'Salesforce disabled the Drift app and is supporting affected '
'customers without negotiating with attackers.',
'impact': {'brand_reputation_impact': ['Public Refusal to Pay Ransom',
'Third-Party Trust Erosion',
'Media Coverage (Bloomberg, Google '
'Threat Intelligence)'],
'data_compromised': ['Customer Contact Details',
'IT Support Information',
'Access Tokens',
'IT Configurations',
'CRM Fields',
'Support Cases',
'Integration Data'],
'identity_theft_risk': ['Low (Primarily Corporate Data)'],
'operational_impact': ['Disabled Drift App Integration',
'Token Renewal Required for Customers',
'Ongoing Customer Support Efforts'],
'systems_affected': ['SalesLoft Drift App',
'Salesforce Integrations',
'Drift’s AWS Environment',
'GitHub Account (SalesLoft)']},
'initial_access_broker': {'backdoors_established': ['Stolen OAuth Tokens '
'(Persistent Access)'],
'data_sold_on_dark_web': ['Threatened by '
'ShinyHunters (not yet '
'confirmed)'],
'entry_point': 'SalesLoft GitHub Account '
'(Compromised March–June 2024)',
'high_value_targets': ['Salesforce Integrations',
'Drift App AWS Environment',
'Customer CRM Data'],
'reconnaissance_period': 'Likely conducted prior to '
'March 2024 (exact '
'duration unknown)'},
'investigation_status': 'Ongoing (SalesLoft has not publicly responded; '
'Salesforce supporting customers)',
'lessons_learned': ['Third-party app integrations introduce significant risk; '
'rigorous vetting and monitoring are critical.',
'OAuth token management requires stricter controls (e.g., '
'rotation, least-privilege access).',
'GitHub account security is a high-value target for '
'attackers; MFA and access logging are essential.',
'Public refusal to pay ransom can deter attackers but may '
'escalate data leak risks.'],
'motivation': ['Financial Extortion', 'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'corrective_actions': ['Salesforce disabled Drift '
'app and mandated token '
'renewal.',
'SalesLoft likely reviewing '
'GitHub security and token '
'management (unconfirmed).',
'Affected customers advised '
'to rotate credentials and '
'audit integrations.'],
'root_causes': ['Inadequate security controls for '
'SalesLoft’s GitHub account (e.g., '
'lack of MFA, monitoring).',
'Overprivileged OAuth tokens with '
'prolonged validity.',
'Lack of segmentation between '
'Drift app and Salesforce customer '
'environments.',
'Delayed detection of GitHub '
'account compromise (March–June '
'2024).']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': ['Conduct third-party security audits for all integrated '
'apps, especially those with OAuth access.',
'Implement automated token rotation and anomaly detection '
'for cloud environments.',
'Enhance GitHub security with mandatory MFA, IP '
'restrictions, and regular access reviews.',
'Develop a unified incident response plan for supply '
'chain attacks involving multiple vendors.',
'Proactively communicate with customers about breach '
'scope and mitigation steps to maintain trust.'],
'references': [{'source': 'Bloomberg'},
{'date_accessed': 'August 2024',
'source': 'Google Threat Intelligence Group'}],
'response': {'communication_strategy': ['Internal Memo (Bloomberg-Leaked)',
'Public Statement on Non-Payment of '
'Ransom',
'Customer Advisories'],
'containment_measures': ['Disabled Drift App Integration',
'Token Renewal Mandate for Customers'],
'enhanced_monitoring': ['Likely (Implied by Google Threat '
'Intelligence Collaboration)'],
'incident_response_plan_activated': True,
'recovery_measures': ['Reactivated SalesLoft Integrations '
'(Except Drift)'],
'remediation_measures': ['Customer Support Outreach',
'OAuth Token Rotation'],
'third_party_assistance': ['Google Threat Intelligence Group '
'(Warnings)']},
'stakeholder_advisories': ['Salesforce internal memo (leaked to Bloomberg)',
'Customer notifications for token renewal'],
'threat_actor': 'ShinyHunters',
'title': "Salesforce Data Breach via SalesLoft's Drift App by ShinyHunters",
'type': ['Data Breach',
'Third-Party Compromise',
'Credential Theft',
'OAuth Token Abuse'],
'vulnerability_exploited': ['Improper Token Management',
'GitHub Account Security Weakness',
'Third-Party Integration Risks']}