Cleo the Cat

Catograph[.]Net


Salesloft Drift Incident Caused Mass Data Exfiltration, Sets Ground for Future Attacks

Cleo the Cat
Author: catograph.net
Released: September 24th, 2025

Massive theft of business contact records and support ticket data from over 700 companies' Salesforce instances will set the ground for future, highly targeted cyberattacks.

New to Cyber? Click here to read this short story to get an idea of what went down.

For the uninitiated: Imagine being a guest at a hotel with great friends. Everyone decides to go outside to enjoy a wonderful time at the pool. Meanwhile, the hotel is responsible for ensuring the security of guest rooms. The manager stores all room keys in a locked drawer and only permits certain employees to access them after guests show proper ID. Unfortunately, there's only one employee manning the front, and they decide to go on an extended lunch break. They leave their key on a hook behind the counter, visible to anyone walking by.

A man with ill intent walks in and approaches the desk, wondering: why is nobody here? No matter. He hops over the counter and swipes the key from its hook. He then unlocks the drawer and starts shoveling all the room keys into a duffel bag. Heading out back, he meets with several associates and hands out the room keys, instructing them to try as many of the keys as possible to steal luggage from the unguarded hotel rooms. Later, in a secure location, the group opens the loot and finds contact information on all their victims. One by one the victims are contacted, and a ransom is demanded: pay us, or you will never see your prized possessions ever again, and your data will be sold online.

A similar situation (replace hotel with Salesloft Drift and the guests as their customers) is what led to the theft of 1.5 billion Salesforce records (Abrams, 2025b). A question may come to mind: how did nobody notice the thief take all the keys to then access and steal all those records? It's not necessarily the hotel guests' fault. They were enjoying the pool and had faith that the hotel would take care of them. This is an example of what happens when security controls fail and result in a domino effect: not only does the hotel suffer, but the guests do as well.


Introduction

Several cyber threat actors targeted the Salesforce instances of over 700 companies in an organized campaign and stole over 1.5 billion records, including business contact information and support ticket data (Abrams, 2025b). A nasty mix of social engineering (Google Threat Intelligence Group, 2025) and the abuse of software integrations (Larsen et al., 2025) contributed to these attacks. The theft of authentication tokens from Salesloft Drift, an AI chat agent which integrates into Salesforce, made accessing and exfiltrating information trivial. The FBI have detailed the chain of attacks in their FLASH bulletin (FBI Cyber Division, 2025).

Click here for more information about social engineering, software integrations, and authentication tokens.

Social Engineering

The process of attempting to trick someone into revealing information (NIST, 2008).

Social engineering is trying to convince someone to do something you want. Usually there's a goal in mind, and the objective is to create or influence a scenario which will allow the goal to be achieved. Social engineering is typically viewed in a negative light and is associated with phishing and manipulation but may be utilized in a plethora of situations.

Regarding the Salesforce data breaches, threat actors used social engineering to convince IT help desk centers that they were IT support employees to obtain access.

Software Integration

The process of connecting different software parts or applications so they can seamlessly share important data (Coursera, 2024).

Wouldn't it be neat if you could check your email from Discord? (Please Discord never add that). Such capability would be software integration: the ability to access or manipulate information from one piece of software within another.

More related to the news story, Drift has software integrations with Salesforce through its Salesforce integration and an email integration which may connect to Google Workspace instances (Larsen et al., 2025). A full list of Drift's 3rd party integrations are available on its website (Salesloft, 2025b).

Authentication Token

Allows internet users to access applications, services, websites, and application programming interfaces (APIs) without having to enter their login credentials each time (Fortinet, 2025).

Software integrations require an API key, an authentication token, or some other connector to work. These tokens prove you are you, and that you are authorizing one piece of software to talk to another. The neat thing about authentication tokens is they let you automatically “log in as you” inside of another application without having to retype the login. Have an insanely long email password? After authorizing a connection between that email and a favorite application, that password will not need to be entered again unless the token expires.

The rather unsettling thing about authentication tokens is they bypass traditional security access controls. Multi-factor authentication cannot save you from token theft, just like it can't save you from cookie theft, or from theft of backup codes. In general, although having a "magic key" is extremely convenient (and most of us use these every day), there is a trade off on what can go wrong if someone else obtains that key. In the case of this cyberattack, Google's Threat Intelligence Group and Mandiant warned any authorization tokens stored in Drift should be treated as compromised (Larsen et al., 2025).


How Did This Happen?

Back in March 2025 through June 2025, the company Salesloft suffered compromised access to their GitHub account (Salesloft, 2025a) and this went unnoticed for months. As time went on, the intruders subsequently breached the Amazon Web Services (AWS) environment for Drift, an AI-powered chatbot, where they were able to access and steal a significant number of authorization tokens (specifically, OAuth tokens) connected to Drift (Toulas, 2025).

Armed with the tokens, threat actors were able to infiltrate and subsequently exfiltrate data from over 700 companies in August. This is primarily due to the fact authentication tokens bypass traditional security controls.

Among targeted customers, were there any trends?

Of particular concern, many cybersecurity companies were hit by this incident (Nudge Security, 2025). At the time of writing, it was reported by multiple companies that most of the data taken was related to customer management and customer support information. At first glance, this may not seem like a huge deal. However, as Cloudflare explains in their writeup, it is a significant security issue:

"Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel." - (Cloudflare, 2025)

Cloudflare already informed impacted customers, as have many others. Due to the massive number of companies impacted, there may be delays among breach announcements. For instance, Cloudflare released their announcement on September 2nd. One of the largest automotive companies, Stellantis, announced it was impacted September 22nd (Gatlan, 2025). Notably, Stellantis was impacted because of a third party they used to handle their Salesforce instance, which demonstrates how widespread the incident is.

Threat actors likely had specific targets; shortly after the Salesloft Drift incident, Google confirmed there was a fraudulent account created in its law enforcement portal (Abrams, 2025a). Google was able to neutralize the account before any queries or data was accessed. Certain cybercriminals make most of their money by blackmailing or extorting victims, so it is possible this portal was a target in an effort to look up information on victims.

Implications and Risks for Future Attacks

Threat actors parsed stolen data, hunting for secrets. Companies likely rushed to rotate credentials and revoked tokens as a result of this attack. However, the massive breach of customer business contact information is not good. It will be easy to piece together which companies do business together, which may reveal what software and tools businesses use.

Spearphishing

Spearphishing is a highly-targeted phishing campaign. Businesses should anticipate and plan for targeted voice calls, texts, or emails due to the massive amount of business contact information stolen. Criminals may impersonate known business contacts or associates.

Third Party Breaches

A third party (or supply chain) breach occurs when a tool or service you use gets compromised. Again, with the leak of business contact records and support tickets, criminals may be able to identify platforms which are used by their targets, and they may attempt to breach the shared platform to access target environments.

Threat Actors Are Blending In (Highlighting the Need for Zero Trust)

These particular threat actors prefer to move through existing services in their victim's environment using stolen credentials in effort to avoid detection. This is a growing trend; CrowdStrike's 2025 Global Threat Report found 79% of detections (of malicious activity) were malware-free (CrowdStrike, 2025).

Citation and Contact

Catograph.net. (2025, September 24). Salesloft Drift Incident Caused Mass Data Exfiltration, Sets Ground for Future Attacks. Catograph.net. https://catograph.net/article/2/salesloft-drift

Submit Comments or Questions


  • Email: cleo@catograph.net

    • References

    • Abrams, L. (2025a, September 15). Google confirms fraudulent account created in law enforcement portal. Bleeping Computer; Bleeping Computer LLC. https://www.bleepingcomputer.com/news/security/google-confirms-fraudulent-account-created-in-law-enforcement-portal/
    • Abrams, L. (2025b, September 17). ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks. Bleeping Computer; Bleeping Computer LLC. https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/
    • Cloudflare. (2025, September 2). The impact of the Salesloft Drift breach on Cloudflare and our customers. Cloudflare Blog; Cloudflare. https://blog.cloudflare.com/response-to-salesloft-drift-incident/
    • Coursera. (2024, October 31). Software Integration: Examples and Why It's Important. Coursera; Coursera Inc. https://www.coursera.org/articles/software-integration
    • CrowdStrike. (2025). CrowdStrike 2025 Global Threat Report. CrowdStrike.com; CrowdStrike. https://www.crowdstrike.com/en-us/global-threat-report/
    • FBI Cyber Division. (2025). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. In Internet Crime Complaint Center. FBI. https://www.ic3.gov/CSA/2025/250912.pdf
    • Fortinet. (2025). What Is an Authentication Token? Fortinet; Fortinet, Inc. https://www.fortinet.com/resources/cyberglossary/authentication-token
    • Gatlan, S. (2025, September 22). Automaker giant Stellantis confirms data breach after Salesforce hack. Bleeping Computer; Bleeping Computer LLC. https://www.bleepingcomputer.com/news/security/automaker-giant-stellantis-confirms-data-breach-after-salesforce-hack/
    • Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Google Cloud Blog; Google. https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
    • Larsen, A., Lin, M., McLellan, T., & ElAhdan, O. (2025, August 28). Widespread Data Theft Targets Salesforce Instances via Salesloft Drift. Google Cloud; Google Threat Intelligence Group and Mandiant. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift?e=48754805
    • NIST. (2008, September). Computer Security Resource Center Glossary. CSRC; National Institute of Standards and Technology. https://csrc.nist.gov/glossary/term/social_engineering
    • Nudge Security. (2025, August). Salesloft Drift Breach - Track the Salesforce Incident. Salesloft Drift Breach - Track the Salesforce Incident; Nudge Security. https://www.driftbreach.com/
    • Salesloft. (2025a, September 6). Update on Mandiant Drift and Salesloft Application Investigations. Salesloft.com; Salesloft, Inc. https://trust.salesloft.com/?uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations
    • Salesloft. (2025b, September 18). Drift - 3rd Party Integration Guide. Salesloft.com. https://help.salesloft.com/s/article/3rd-Party-Integration-Guide?language=en_US
    • Toulas, B. (2025, September 8). Salesloft: March GitHub repo breach led to Salesforce data theft attacks. Bleeping Computer; Bleeping Computer LLC. https://www.bleepingcomputer.com/news/security/salesloft-march-github-repo-breach-led-to-salesforce-data-theft-attacks/

    Return Home