Sep 03, 2025Ravie LakshmananData Breach / Menace Intelligence,
Salesloft on Tuesday introduced that it is taking Drift quickly offline “within the very close to future,” as a number of corporations have been ensnared in a far-reaching provide chain assault spree concentrating on the advertising and marketing software-as-a-service product, ensuing within the mass theft of authentication tokens.
“It will present the quickest path ahead to comprehensively evaluate the appliance and construct extra resiliency and safety within the system to return the appliance to full performance,” the corporate mentioned. “Consequently, the Drift chatbot on buyer web sites is not going to be accessible, and Drift is not going to be accessible.”
The corporate mentioned its high precedence is to make sure the integrity and safety of its techniques and clients’ knowledge, and that it is working with cybersecurity companions, Mandiant and Coalition, as a part of its incident response efforts.
The event comes after Google Menace Intelligence Group (GTIG) and Mandiant disclosed what it mentioned was a widespread knowledge theft marketing campaign that has leveraged stolen OAuth and refresh tokens related to the Drift synthetic intelligence (AI) chat agent to breach clients’ Salesforce cases.
“Starting as early as August 8, 2025, via no less than August 18, 2025, the actor focused Salesforce buyer cases via compromised OAuth tokens related to the Salesloft Drift third-party software,” the corporate mentioned final week.
The exercise has been attributed to a menace cluster dubbed UNC6395 (aka GRUB1), with Google telling The Hacker Information that greater than 700 organizations might have been probably impacted.
Whereas it was initially claimed that the publicity was restricted to Salesloft’s integration with Salesforce, it has since emerged that any platform built-in with Drift is probably compromised. Precisely how the menace actors gained preliminary entry to Salesloft Drift stays unknown at this stage.
The incident has additionally prompted Salesforce to quickly disable all Salesloft integrations with Salesforce as a precautionary measure. Among the companies which have confirmed being impacted by the breach are as follows –
“We consider this incident was not an remoted occasion however that the menace actor supposed to reap credentials and buyer data for future assaults,” Cloudflare mentioned.
“Provided that tons of of organizations have been affected via this Drift compromise, we suspect the menace actor will use this data to launch focused assaults towards clients throughout the affected organizations.”
