Salesloft Drift Breach — Widespread Impact
A significant supply chain cyberattack exploited the Salesloft Drift chatbot integration with Salesforce, compromising OAuth tokens and enabling unauthorized access to customer data in hundreds of Salesforce-based systems. Threat actors systematically exfiltrated sensitive records—including contact details and support case content across multiple organizations such as Cloudflare, Palo Alto Networks, Dynatrace, Zscaler.
Cloudflare disclosed that between August 12 and 17, 2025, attackers accessed and extracted text from support case records—some of which contained API tokens and sensitive data—prompting them to rotate credentials and notify affected customers.
Palo Alto Networks confirmed exposure of business contact data and internal sales information, while Google and Zscaler were also confirmed victims in this campaign
This breach underscores how third-party integrations can introduce vulnerabilities—particularly when they involve persistent, non-expiring OAuth tokens.
Configuration Risks & Vulnerabilities in Salesforce Environments
A security audit revealed 5 zero-day vulnerabilities and 20+ misconfigurations within Salesforce’s Industry Cloud components. These flaws—such as a SOQL injection vector through improperly sanitized parameters—could allow unauthorized access to sensitive data, encrypted fields, session logs, and credentials.
Salesforce responded by issuing patches and updating documentation. While most issues were resolved by the vendor, some require customers to adjust configurations for enhanced security.
What This Means for Salesforce Users
- Third-party dependencies are a major attack vector. Integrations—especially with components like chatbots—must be carefully audited and managed.
- Misconfigurations continue to pose serious risks. Even minor oversights in security settings can result in data exposure.
- Proactive patching and good governance are crucial. Organizations must act quickly to apply updates and follow best practices for securing cloud infrastructure.
Summary: Quick Snapshot
| Issue | Details & Impact |
|---|---|
| Salesloft Drift Breach | OAuth token misuse led to data theft across many orgs (e.g., Cloudflare, Google) |
| Configuration & Vulnerability Risks | Zero-days and misconfigurations exposed sensitive data; patches issued |
| Security Takeaway | Third-party apps and configurations are primary security failure points |