The **Salesloft breach (August 8–18, 2025)** was a sophisticated **supply chain attack** targeting its **GitHub account and OAuth tokens** linked to the **Drift chatbot integration**. Exploiting these tokens, attackers bypassed multi-factor authentication (MFA) and gained unauthorized access to **over 700 organizations**, including major cybersecurity firms like **Cloudflare, Palo Alto Networks, and Google**. The breach involved **automated data exfiltration** using Python tools, deletion of query logs to evade detection, and compromise of **Salesforce instances**, exposing **customer relationship data, support case details, and sensitive credentials** (API keys, passwords). The incident triggered **class-action lawsuits**, regulatory scrutiny (GDPR/CCPA), and highlighted critical gaps in **third-party integration security, OAuth governance, and cross-platform data visibility**. The attack underscored risks in **SaaS ecosystems**, where interconnected platforms amplify exposure to **fourth/fifth-party vulnerabilities** and **zero-trust failures**.
Source: https://www.jdsupra.com/legalnews/inside-the-salesloft-drift-breach-5165814/
TPRM report: https://www.rankiteo.com/company/salesloft
"id": "sal4092740091625",
"linkid": "salesloft",
"type": "Breach",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '700+ organizations',
'industry': 'Sales Engagement Platform',
'location': 'Atlanta, Georgia, USA',
'name': 'Salesloft',
'type': 'SaaS Provider'},
{'industry': 'Conversational Marketing/Chatbot',
'location': 'Boston, Massachusetts, USA',
'name': 'Drift',
'type': 'SaaS Provider'},
{'industry': 'Web Infrastructure Security',
'location': 'San Francisco, California, USA',
'name': 'Cloudflare',
'type': 'Cybersecurity Firm'},
{'industry': 'Network Security',
'location': 'Santa Clara, California, USA',
'name': 'Palo Alto Networks',
'type': 'Cybersecurity Firm'},
{'industry': 'Cloud Security',
'location': 'San Jose, California, USA',
'name': 'Zscaler',
'type': 'Cybersecurity Firm'},
{'industry': 'Search/Cloud Services',
'location': 'Mountain View, California, USA',
'name': 'Google',
'type': 'Tech Giant'},
{'industry': 'Email Security',
'location': 'Sunnyvale, California, USA',
'name': 'Proofpoint',
'type': 'Cybersecurity Firm'},
{'industry': 'Identity Protection',
'location': 'Austin, Texas, USA',
'name': 'SpyCloud',
'type': 'Cybersecurity Firm'},
{'industry': 'Endpoint Security',
'location': 'Emeryville, California, USA',
'name': 'Tanium',
'type': 'Cybersecurity Firm'},
{'industry': 'Vulnerability Management',
'location': 'Columbia, Maryland, USA',
'name': 'Tenable',
'type': 'Cybersecurity Firm'},
{'customers_affected': '700+ organizations (via '
'integrated instances)',
'industry': 'Customer Relationship Management (CRM)',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'type': 'SaaS Provider'}],
'attack_vector': ['Compromised GitHub Account',
'OAuth Token Abuse',
'Third-Party Integration Exploitation',
'Automated Python Tools',
'Anti-Forensics Techniques (Log Deletion)'],
'customer_advisories': ['Guidance on Password/Token Rotation',
'Recommendations for Monitoring Suspicious Activity',
'Support for Affected CRM Data'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': ['High (includes PII, credentials, and '
'proprietary business data)'],
'type_of_data_compromised': ['CRM Data',
'Support Case Records',
'Credentials (API keys, '
'passwords)',
'Business Communications']},
'date_detected': '2025-08-18',
'description': 'A sophisticated supply chain attack targeting Salesloft and '
'Drift integrations, orchestrated by UNC6395 (GRUB1), '
'compromised OAuth tokens to access hundreds of Salesforce '
'instances. The breach exposed vulnerabilities in third-party '
'integration security, affecting over 700 organizations, '
'including major cybersecurity firms. Attackers used automated '
'tools and anti-forensics techniques to extract data while '
'evading detection for over two weeks (August 8–18, 2025). '
'Initial access was gained via a compromised GitHub account '
'between March and June 2025.',
'impact': {'brand_reputation_impact': ['Significant Reputational Damage to '
'Salesloft, Drift, and Affected Firms',
'Erosion of Trust in SaaS Supply Chain '
'Security'],
'customer_complaints': ['Class-Action Lawsuits Filed (including '
'against Salesforce)'],
'data_compromised': ['Customer Relationship Management (CRM) Data',
'Support Case Information',
'Sensitive Credentials (API keys, passwords)',
'Business Communications'],
'identity_theft_risk': ['High (due to exposed credentials and PII '
'in support cases)'],
'legal_liabilities': ['Multiple Class-Action Lawsuits',
'Potential Regulatory Fines (GDPR, CCPA, '
'etc.)',
'Contractual Liability Disputes'],
'operational_impact': ['Disruption of CRM and Support Operations',
'Incident Response Across Multiple Vendors',
'Legal and Compliance Burden'],
'systems_affected': ['Salesforce Instances (700+ organizations)',
'Drift Chatbot Integration',
'GitHub Account (initial compromise)']},
'initial_access_broker': {'backdoors_established': ['Persistent OAuth Token '
'Access',
'Automated Data '
'Extraction Scripts'],
'data_sold_on_dark_web': ['Likely (given the '
'sensitivity of '
'exfiltrated '
'credentials)'],
'entry_point': 'Compromised Salesloft GitHub '
'Account (March–June 2025)',
'high_value_targets': ['Salesforce Instances of '
'Cybersecurity Firms',
'CRM Data',
'Support Case Histories'],
'reconnaissance_period': 'March 2025 – August 2025 '
'(5+ months)'},
'investigation_status': 'Ongoing (as of 2025)',
'lessons_learned': ['OAuth tokens require the same security rigor as '
'passwords, including MFA and regular rotation.',
'Third-party integration security must be elevated to a '
'board-level priority with dedicated oversight.',
'Supply chain risks extend beyond direct vendors to '
'fourth/fifth-party SaaS ecosystems.',
'Anti-forensics techniques (e.g., log deletion) can delay '
'detection, necessitating enhanced monitoring.',
'Data shared via external platforms (e.g., chatbots) may '
'contain sensitive information requiring classification '
'and protection.',
'eDiscovery preparedness must account for multi-platform, '
'cross-jurisdictional breach responses.'],
'motivation': ['Data Exfiltration',
'Espionage',
'Potential Financial Gain (via dark web data sales)'],
'post_incident_analysis': {'corrective_actions': ['Mandate **MFA for all '
'OAuth token usage** and '
'treat tokens as high-value '
'credentials.',
'Implement **real-time '
'monitoring** for anomalous '
'OAuth/API activity with '
'automated alerts.',
'Enforce **least-privilege '
'access** for third-party '
'integrations, regularly '
'auditing permission '
'scopes.',
'Develop **dedicated supply '
'chain risk management '
'programs** for SaaS '
'ecosystems.',
'Enhance **log retention '
'and anti-tampering '
'controls** to prevent '
'evidence destruction.',
'Establish **cross-vendor '
'incident response '
'playbooks** for '
'coordinated breach '
'handling.',
'Integrate **information '
'governance** with '
'cybersecurity to classify '
'and protect data in shared '
'environments.',
'Conduct **regular red-team '
'exercises** targeting '
'third-party integration '
'attack surfaces.'],
'root_causes': ['Inadequate protection of GitHub '
'credentials leading to initial '
'compromise.',
'Lack of MFA enforcement for OAuth '
'tokens, allowing bypass of '
'authentication controls.',
'Insufficient monitoring of '
'third-party integration activity '
'(e.g., Drift-Salesforce OAuth '
'flows).',
'Over-permissioned OAuth tokens '
'with excessive data access '
'scopes.',
'Delayed detection due to '
'anti-forensics techniques (log '
'deletion).',
'Gaps in cross-platform visibility '
'for data flows in SaaS '
'ecosystems.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement **strict OAuth token lifecycle management** '
'(rotation, scoped permissions, real-time monitoring).',
'Adopt **zero-trust access controls** for all third-party '
'integrations, treating them as untrusted by default.',
'Expand **third-party risk assessments** to include '
'fourth/fifth-party SaaS dependencies.',
'Develop **cross-platform visibility tools** to track '
'data flows across interconnected systems.',
'Establish **pre-negotiated breach response protocols** '
'with vendors, including liability frameworks.',
'Enhance **legal hold procedures** for multi-tenant cloud '
'environments to ensure evidence integrity.',
'Invest in **automated anomaly detection** for OAuth '
'token usage and API activity.',
'Conduct **regular audits** of third-party integrations '
'and their permission scopes.',
'Train employees on **secure data-sharing practices** via '
'external platforms (e.g., chatbots, support tools).',
'Integrate **information governance** with cybersecurity '
'to classify and protect data in SaaS environments.'],
'references': [{'date_accessed': '2025',
'source': 'HaystackID/ComplexDiscovery OÜ'}],
'regulatory_compliance': {'legal_actions': ['Class-Action Lawsuits (e.g., '
'against Salesforce)',
'Regulatory Investigations '
'(Expected)'],
'regulations_violated': ['Potential GDPR (EU)',
'CCPA (California)',
'Industry-Specific Data '
'Protection Laws'],
'regulatory_notifications': ['Ongoing (GDPR, CCPA, '
'etc.)']},
'response': {'communication_strategy': ['Public Disclosure (via '
'HaystackID/ComplexDiscovery)',
'Customer Advisories',
'Regulatory Notifications'],
'containment_measures': ['OAuth Token Revocation',
'Disabling Compromised Integrations',
'Isolating Affected Systems'],
'enhanced_monitoring': ['Real-Time OAuth Token Activity '
'Monitoring',
'Anomalous API Call Detection'],
'incident_response_plan_activated': True,
'network_segmentation': ['Isolation of Compromised SaaS '
'Integrations'],
'recovery_measures': ['Restoration of Affected Salesforce '
'Instances',
'Customer Notification and Support',
'Legal Hold Procedures for eDiscovery'],
'remediation_measures': ['Token Lifecycle Management '
'Enhancements',
'Zero-Trust Access Controls for '
'Third-Party Integrations',
'Expanded Monitoring of OAuth Activity'],
'third_party_assistance': ['Cybersecurity Firms (e.g., '
'Cloudflare, Palo Alto Networks)',
'Legal Counsel',
'Forensic Investigators']},
'stakeholder_advisories': ['Customer Notifications Issued',
'Regulatory Disclosures in Progress',
'Legal Counsel Engaged for Litigation '
'Preparedness'],
'threat_actor': ['UNC6395', 'GRUB1 (Cloudflare designation)'],
'title': 'Salesloft Drift Supply Chain Breach (2025)',
'type': ['Supply Chain Attack',
'Unauthorized Access',
'Data Breach',
'OAuth Token Exploitation'],
'vulnerability_exploited': ['Weak OAuth Token Management',
'Lack of MFA for OAuth Tokens',
'Insufficient Third-Party Integration Monitoring',
'Inadequate Log Retention']}