From March to June 2025, a cyber attacker was able to snoop around in Salesloft’s GitHub account. This resulted in the theft of tokens that link Drift, Salesloft’s sales platform, to Salesforce environments. As a result, large companies fell victim to one data breach after another this summer.
As an intruder in Salesloft’s GitHub account, the attacker was able to download the contents of various repositories, add a guest user, and set up workflows. After a two-month reconnaissance phase, the attacker managed to infiltrate Salesloft Drift’s AWS environment. This lateral movement resulted in a significant haul, as OAuth tokens for Drift’s customer companies were obtained.
Big fish caught
Thanks to the Drift integrations, the attacker gained access to hundreds of companies. A selection of the affected parties includes Cloudflare, Zscaler, Palo Alto Networks, CyberArk, Rubrik, Nutanix, Ericsson, and JFrog. The real consequences are yet to be seen, as the actual impact differed for each company.
Whereas at Zscaler the usual CRM and header fields were stolen, at Cloudflare it was the records within Salesforce Cases. Customers can decide for themselves what extra information to include there, so the specific value of the loot varies. At Google, emails in certain Workspace accounts could be read. However, this only applied to accounts connected to Salesloft Drift. JFrog experienced minimal impact: only the integrations with Salesforce and Drift were shut down.
Warnings remain
Salesloft is now connected to Salesforce again (since September 7). Although both applications functioned separately, their joint functionality was discontinued on August 28. Drift was removed from AppExchange on August 20 and is still absent.
Read also: The many victims of Salesforce attacker ShinyHunters