5 lessons from the Salesforce/Salesloft data breaches

10 Sep 2025

Hundreds of companies, including big cybersecurity companies like Cloudflare, Palo Alto, and Tenable, have become victims of the wave of data breaches impacting compromised Salesforce and Salesloft Drift instances.

 

Globally, organizations rely on Salesforce to efficiently offer support to their customers and to keep track of their customers’ usage of services. In combination with Salesloft’s AI-based chatbot application Drift, organizations can engage visitors on the website, quantify leads, and enhance their interaction with customers.

 

Let us explore how Salesforce/Salesloft-specific breaches have happened, along with some key lessons that organizations can use to improve their readiness towards such incidents.

How did it all happen?

As per a recent detailed investigation by cybersecurity experts from several companies, including Mandiant and Cloudflare, the following is how the attacks were carried out:

 

  • Between March and June 2025, attackers accessed Salesloft’s GitHub account, where they discovered private repositories, created customized workflows, and made new guest users.  
  • They performed limited reconnaissance in Salesloft and Drift environments.  
  • They then shifted to Salesforce Drift’s AWS environment with a primary objective to gain access to OAuth tokens. OAuth tokens are used to allow applications to authenticate users on their behalf. For example, to access data without sharing passwords.  

 

On obtaining OAuth tokens, the attackers:

 

  • Used vishing (voice-based phishing), social engineering methods, and Salesforce’s connecting external apps feature to target users (mostly English-speaking users from MNCs) to follow instructions for urgent troubleshooting
  • The targets were redirected to an authorization page where they were asked to input an 8-digit Salesforce Connect code, giving authorization to a malicious application (often a trojanized version of Salesforce’s Data Loader application disguised as My Ticket Portal) controlled by attackers.
  • The attackers queried and exported data in large volumes (customer data, case-related data, internal business data) after gaining API level access to Salesforce data for extortion and tailored attacks.

Attack timeline

March – attackers accessed Salesloft’s GitHub repositories.

 

June – they maintained persistent access (downloaded content from multiple repositories, added a guest user, and established customized workflows).

 

Between Jun-Aug – Reconnaissance activities in Salesloft and Drift application environments

 

August (Aug 8 to 17) – OAuth theft campaign (stole OAuth tokens from Drift AI chat app to access Salesforce instances and harvest credentials, including AWS access keys, Snowflake-related access tokens, passwords, and OAuth tokens).

 

August – post-August – used stolen tokens to target compromised Salesforce instances and exfiltrate data for further attacks.

Who is impacted by the incident?

The data breaches have impacted all the customers that have deployed Salesloft Drift and Salesforce, including some of the big companies like:

 

  • Cloudflare
  • Palo Alto Networks
  • Tenable
  • Google
  • Adidas
  • Quantas Airlines
  • Louis Vuitton
  • Allianz Life
  • Tiffany & Co
  • Chanel
  • Workday
  • Pandora
  • Cisco
  • France KLM
  • Others

 

The attacks have compromised contact information and other information shared in customer support cases, including log tokens, passwords, and personal details, not to mention reputational damage to the brand due to data breaches.

 

The attackers didn’t access any attachments in the cases, and only text-related content. Their attack campaigns were highly focused on credentials, with attackers using keyword-based searches for credentials.

Lessons learned from the Salesforce-specific data breaches

Supply chain security must be a priority

Integrated third-party systems are prime targets of modern-day attackers. Since organizations rely on platforms for operational efficiency, customer support, and automation, they must regularly assess them for exploitable weaknesses.  

 

A single breach can impact hundreds of companies

The wave of data breaches indicates how fragile digital supply chains can be and that a single breach can expose hundreds of organizations, no matter how big they are. It calls for a holistic vendor risk management with strict security over third-party applications and OAuth tokens.

 

Attackers have shifted their focus

Attackers didn’t target product infrastructure, they attacked their CRM integration. It shows that sensitive data can be stolen from integrations and support systems even if the main products are untouched. They have shifted focus to the channel between business and customers hence organizations must monitor these environments.

 

Awareness is more important than technically complex measures

The attackers exploited social media addresses on GitHub of Salesloft’s employees and unaware employees in MNCs to carry out their attacks.

Training staff against social engineering is a must for any organization, regardless of size, making them aware of cybersecurity best practices like not exposing personal information in public and knowing how to distinguish vishing attempts from legitimate calls.

 

Attackers don’t just go for the obvious they look for oversight

The Salesloft Drift data breaches show how attackers not just target obvious security weaknesses but also little things that are often missed/overlooked. For example, personal data, passwords, confidential information, and credentials were shared over records in Salesforce environments.

Therefore, organizations must monitor whether exploitable credentials are shared in a place where they should not be. They must create a policy that restricts the sharing of credentials in support environments.

Prevention best practices

 

  • Take an inventory of all the connected tools and third-party integrations
  • See if there are malicious or unauthorized OAuth applications
  • Set policies to change credentials regularly
  • Apply zero-trust approach and least privilege access on integrations
  • Monitor continuously for tokens, credentials and API keys
  • Establish a mechanism that real time alerts based on patterns and toolchains

 

Are you looking to proactively identify hidden and overlooked risks across your infrastructure? We can help you assess your security posture with real-world attacking techniques and tactics deployed by modern day attackers. Get started here.

Get in touch with us

We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.

LEARN MORE