Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations

Sep 03, 2025Ravie LakshmananData Breach / Threat Intelligence,

Salesloft on Tuesday announced that it’s taking Drift temporarily offline “in the very near future,” as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens.

“This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible.”

The company said its top priority is to ensure the integrity and security of its systems and customers’ data, and that it’s working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts.

The development comes after Google Threat Intelligence Group (GTIG) and Mandiant disclosed what it said was a widespread data theft campaign that has leveraged stolen OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent to breach customers’ Salesforce instances.

“Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application,” the company said last week.

The activity has been attributed to a threat cluster dubbed UNC6395 (aka GRUB1), with Google telling The Hacker News that more than 700 organizations may have been potentially impacted.

While it was initially claimed that the exposure was limited to Salesloft’s integration with Salesforce, it has since emerged that any platform integrated with Drift is potentially compromised. Exactly how the threat actors gained initial access to Salesloft Drift remains unknown at this stage.

The incident has also prompted Salesforce to temporarily disable all Salesloft integrations with Salesforce as a precautionary measure. Some of the businesses that have confirmed being impacted by the breach are as follows –

“We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks,” Cloudflare said.

“Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!