What began as a quiet investigation into suspicious Salesforce activity has escalated into one of the most significant SaaS supply chain incidents of the year.
Google's Threat Intelligence Group (GTIG) says a threat actor tracked as UNC6395 used compromised OAuth tokens from Salesloft's Drift integrations to pull data from many customers' Salesforce instances. The campaign ran at least from August 8–18, 2025. GTIG's assessment is blunt: "GTIG assesses the primary intent of the threat actor is to harvest credentials."
According to GTIG, the actor issued SOQL queries against common Salesforce objects such as Cases, Accounts, Users, and Opportunities. They even deleted query jobs in an attempt to erase their tracks, though Salesforce logs remained reviewable. In response, Salesforce and Salesloft revoked all Drift access tokens and removed the Drift app from AppExchange while investigations continue.
A widespread supply chain breach
What initially appeared to be a narrow integration compromise quickly expanded into one of the largest SaaS supply chain incidents of 2025. GTIG now estimates that more than 700 organizations may have been targeted, with attackers using automation to systematically query Salesforce tenants. The impact reached far beyond CRM data, as Drift'’s OAuth connections extended into Google Workspace and other enterprise systems, prompting Google to notify affected admins and disable Drift integrations.
The scale and victims of this attack set it apart. Major cybersecurity companies—including Cloudflare, Palo Alto Networks, Zscaler, Tanium, SpyCloud, Proofpoint, and PagerDuty—confirmed they were affected. These are organizations called upon to protect others, now grappling with their own exposure. For example, Zscaler disclosed that the exposed data included customer names, emails, phone numbers, job titles, regional details, product licensing information, and some case content. Palo Alto Networks and Cloudflare similarly reported that while the core of their infrastructure was not impacted, customer support data—sometimes containing API tokens, logs, or credentials pasted into tickets—was exfiltrated.
Cloudflare acknowledged the breach of its Salesforce case data but emphasized, "No Cloudflare services or infrastructure were compromised as a result of this breach." The company rotated 104 API tokens discovered in the compromised dataset.
Salesloft's response: drift taken offline
Facing mounting pressure, Salesloft has now taken the Drift platform completely offline. The company stated that this suspension is necessary to conduct a comprehensive security review and strengthen Drift before restoring service. During this period, Drift chatbots are inaccessible on customer websites. Salesloft also announced it is working closely with Mandiant, Coalition, and Google Threat Intelligence Group to investigate the breach and harden the platform against future attacks.
Why the Drift breach matters
This incident highlights the systemic risks associated with third-party SaaS integrations. Drift was designed to help sales and marketing teams by embedding deeply into platforms like Salesforce, but those broad permissions became the doorway for attackers. Once OAuth tokens were stolen, threat actors could bypass login safeguards like MFA and pull large volumes of data as if they were the trusted app itself.
The campaign also highlights the transitive trust problem in SaaS ecosystems: a compromised vendor can potentially compromise hundreds of organizations. In this case, attackers not only gained access to sensitive Salesforce data but also sought cloud credentials and tokens that could be leveraged for secondary compromises.
Next steps for security leaders
Organizations that have integrated Drift should assume exposure and act quickly. Revoking and rotating all Drift-connected tokens and credentials is essential. Reviewing Salesforce event logs for abnormal queries and auditing support case data for leaked secrets should also be top priorities.
Beyond the immediate response, CISOs should view this as a call to reevaluate their integration practices. Limiting token scopes, enforcing IP restrictions, and applying the principle of least privilege to SaaS apps are critical steps. Equally important is re-examining what gets stored in support systems—credentials and cloud access details should never live inside tickets or attachments.
A wake-up call for SaaS supply chain security
The Salesloft Drift breach demonstrates how fragile SaaS trust chains can be. Even the world's most security-minded companies—Cloudflare, Palo Alto Networks, Zscaler—were impacted because of an integration they allowed into their environments. For security leaders, the takeaway is clear: CRM and support platforms are not just business tools; they are Tier-0 adjacent assets that demand enterprise-grade controls and ongoing monitoring.
Follow SecureWorld News for more stories related to cybersecurity.
