An as-of-yet undiagnosed compromise of the Salesloft Drift AI-driven platform has led to a rash of stolen OAuth tokens, in turn creating downstream breaches at some of the biggest names in the cybersecurity industry.
The campaign is thought to have taken place from about August 8 to August 18, and impacted about 700 organizations in total. While initial reporting suggested that the stolen OAuth tokens would only compromise Salesforce instances that had integrated Salesloft Drift, it is now believed that any platform that uses Drift may potentially be compromised.
Stolen OAuth tokens prompt indefinite shutdown of Drift
Acquired by Salesloft in early 2024, Drift is an AI-driven sales tool used to analyze customer service conversations and other behavior data and create personalized recommendations. The service was taken offline in the early morning hours of September 5 as a precautionary measure as Salesloft investigates the incident and fortifies system security. The company has not set a date for the end of the service interruption.
Salesloft first disclosed the breach to the public on August 25. That initial notification claimed that only customers with a Drift-Salesforce integration were potentially impacted, but that has since been revised to anyone making use of Drift (via a Google Threat Intelligence Group report issued on August 28). The initial disclosure also claimed that no malicious activity had been spotted, but numerous Drift clients have since reported follow-on breaches caused by stolen OAuth tokens: Cloudflare, Google Workspace, Palo Alto Networks, Tanium, Tenable and Zscaler among them. Salesloft says that it has directly notified all impacted customers.
As of September 3 Salesloft has rotated all centrally managed client keys, which negates the stolen OAuth tokens for its managed clients. However, clients that manage their own Drift connections via API key must manually revoke their existing keys to shield against exposure.
Threat actors spotted harvesting, hoarding credentials for future attacks
The Google Threat Intelligence report indicates that only a “very small amount” of Google Workspace accounts were impacted, and that they have contacted the administrators of these accounts. Google Workspace itself (nor parent company Alphabet) was not breached by the attack, rather the stolen OAuth tokens were for specific Workspace accounts. The report does not name a specific party but does note that the threat actor rapidly combed compromised accounts for secrets and sensitive information to exfiltrate.
Cloudflare also chimed in on September 2 with an incident report that indicates its own internal Salesforce instance (used for customer support and case management) was breached by the attackers. That could mean that some Cloudflare clients that had used customer support chats could have access tokens or sensitive information about their configurations exposed, though the company says that it is actively monitoring and has not yet seen evidence of malicious activity. Cloudflare’s threat intelligence team does not yet have information about the identity of the attackers but has given them the moniker “GRUB1” for the moment.
Zscaler also experienced a Salesforce instance compromise, but says that the information about clients that was exposed was limited to business contact information for the most part. The breach at Palo Alto Networks was very similar, though the company additionally reports that some internal sales records and “basic case data” were stolen. Both companies report that the client data that was exposed did not contain file attachments.
No link has yet been established to the ShinyHunters campaign that has also targeted Salesforce instances in recent months. In those cases, the hacking team is strongly suspected to have been working with Scattered Spider to breach victims via a social engineering approach. The Salesloft case appears to involve the hackers finding a way to manipulate Drift to return portions of client support tickets and uncover OAuth tokens, though specific technical details remain thin at this time. In that sense, it may have more in common with the recent attack on Lenovo’s “Lena” website AI that convinced the chatbot to open contact with a malicious attacker-controlled server.
The attackers do seem to have a particular interest in cybersecurity firms, however; in addition to the parties already mentioned, several others have reported follow-on breaches via stolen OAuth tokens including Proofpoint, SpyCloud, Tanium, and Tenable. In most cases these also appear to have been via local Salesforce instances that had integrated Drift. Salesloft does not publish exact numbers of Drift customers but has previously stated that at least 5,000 clients use it, leaving much potential room for expansion of this breach. Krebs on Security reports that the attackers may be making use of a new cybercrime forum called “Breachstars” to ransom victims.
Cory Michal, SaaS security expert and CSO at AppOmni, notes that the targeting of these high-profile security firms is troubling: “These are particularly concerning because they raise the stakes well beyond typical SaaS compromises, especially where support tickets are involved, since they may contain sensitive materials such as API keys, credentials, and archive files. For security companies, which often have privileged access and visibility into client environments, exposure of this data could create opportunities for downstream breaches, supply chain attacks, and erosion of trust in the very vendors responsible for defending enterprises. Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting. Their blog not only provides clear technical detail but also openly accepts responsibility for the risks posed by third-party integrations. By committing to strengthen their SaaS environments and toolchain security going forward, Cloudflare demonstrated both maturity and leadership in incident response, setting a high bar for how organizations should communicate, remediate, and reinforce trust in the aftermath of supply-chain compromises.”
Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, adds: “The case of Palo Alto data breach demonstrates the modus operandi of the threat actor is not stagnant, and they are capable of implementing other attack techniques to compromise as many victims as possible. This time they have used compromised OAuth tokens from the Salesloft Drift integration to query Salesforce data at scale … This represents a shift in modus operandi compared to previous intrusions, in which they used social engineering skills via phone phishing to trick them into revealing login credentials or installing malicious versions of Salesforce tools.”
