SalesLoft on Tuesday announced that several companies will be temporarily collecting drifts offline in the “very near future” as they are caught up in a widespread supply chain attack targeting marketing software as a service, resulting in mass theft of certified tokens.
“This provides the fastest path to comprehensively reviewing applications, building additional resilience and security within the system, and bringing applications back to full functionality,” the company said. “As a result, the customer website’s drift chatbot is not available and drift is not accessible.”
The company said its top priority is ensuring the integrity and security of the system and customer data, and is working with cybersecurity partner Mandiant and Coalition as part of its incident response efforts.
The development revealed that Google Threat Intelligence Group (GTIG) and Mandiant had revered tokens related to stolen Oauth and Drift Artificial Intelligence (AI) chat agents, calling it a widespread data theft campaign that compromised customer’s Salesforce instances.
“Until August 8, 2025, and at least until August 18, 2025, the actor targeted Salesforce customer instances through a compromised OAUTH token associated with Salesloft Drift’s third-party applications,” the company said last week.
The activity is attributed to a threat cluster called UNC6395 (aka Grub1), and Google tells Hacker News that more than 700 organizations may have been potentially affected.
Initially, it was alleged that exposure was limited to integrations between SalesLoft and Salesforce, but since then it has become clear that the platform integrated with drift and it could potentially be compromised. At this stage it is exactly the same as how threat actors gained initial access to SalesLoft Drift.
The incident prompted Salesforce to temporarily disable all SalesLoft integrations with Salesforce as a precaution. Some of the companies that have confirmed they are affected by the violation are:
“We believe this incident was not an isolated event and that the threat actor was intended to harvest qualifications and customer information for future attacks,” CloudFlare said.
“Given hundreds of organizations have been affected through this drift compromise, we believe threat actors will use this information to launch targeted attacks on customers across affected organizations.”
Source link
