Salesloft Takes Drift Offline Following OAuth Token Theft Impacting Hundreds of Organizations

Executive Summary

Salesloft has taken Drift fully offline following a large-scale OAuth token theft campaign that impacted hundreds of organizations worldwide. The incident began with stolen Drift-linked tokens abused to access connected Salesforce instances between August 8–18, 2025, leading to confirmed exfiltration of Salesforce data (credentials, secrets). Google Threat Intelligence Group (GTIG) attributes the campaign to UNC6395 (aka GRUB1) and estimates 700+ organizations may have been affected.

As containment escalated, Salesloft revoked Drift–Salesforce tokens and required re-authentication (Aug 20), advised API key rotation for third-party integrations (Aug 27), and paused the Salesloft–Salesforce integration pending investigation (Aug 31). Salesforce disabled Drift integrations with Salesforce, Slack, and Pardot (Aug 28). On September 2, 2025, Drift was taken fully offline to harden security and rebuild resiliency. Mandiant and Coalition are assisting. Salesloft reports no evidence of compromise in the core platform.

Who’s affected: Initially thought to be limited to Salesforce, risk now extends to any platform integrated with Drift. Acknowledged impacts include organizations such as Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, SpyCloud, Tanium, and Zscaler.

Immediate actions:

• Revoke/rotate OAuth tokens and API keys linked to Drift and third-party integrations.
• Audit Salesforce and other connected apps for suspicious activity and review logs against the provided IOCs and attacker query patterns.
• Enable MFA wherever possible.
• Monitor for spear-phishing leveraging stolen customer data.

Current status (September 2025): Drift offline, Salesloft–Salesforce integration paused, and customer monitoring/mitigations recommended.

In a significant development, Salesloft has announced that it is taking its Drift platform temporarily offline after a large-scale OAuth token theft campaign impacted hundreds of organizations worldwide. The move comes as part of a broader incident response effort to secure the platform and prevent further compromise.

What Happened

According to the company, multiple organizations were ensnared in a supply chain attack spree that resulted in the mass theft of authentication tokens linked to Drift, a widely used AI-powered chatbot and marketing automation tool.

Salesloft stated that disabling Drift is the “fastest path forward” to conduct a comprehensive security review and implement additional safeguards. As a result, the Drift chatbot will be temporarily unavailable on customer websites, and the platform itself will be inaccessible.

Timeline of Events:

Cybersecurity firm Mandiant and insurance/security provider Coalition are assisting in the response, while Google Threat Intelligence Group (GTIG) attributed the campaign to a threat actor cluster tracked as UNC6395 (aka GRUB1).

Google estimates that over 700 organizations may have been affected, highlighting the far-reaching nature of this supply chain attack.

Who’s Affected?

While the incident was initially believed to be restricted to Salesforce integrations, it has since been confirmed that any platform integrated with Drift may be at risk. Salesforce has proactively disabled all Salesloft integrations as a precautionary measure.

High-profile organizations that have acknowledged impact include:

• Cloudflare
• Google Workspace
• PagerDuty
• Palo Alto Networks
• SpyCloud
• Tanium
• Zscaler

Industry Response

Cloudflare noted, “We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks.”

The concern now extends beyond the initial token theft — security experts warn that the stolen credentials could fuel future targeted attacks across affected industries.

What’s Next?

Salesloft emphasized that its top priority is customer security and confirmed that it is working closely with Mandiant and Coalition to restore Drift with stronger security measures.

In the meantime, impacted organizations are advised to:

• Review OAuth integrations and revoke unused/compromised tokens.
• Audit Salesforce and other connected applications for suspicious activity.
• Enable multi-factor authentication (MFA) wherever possible.
• Monitor for spear-phishing campaigns leveraging stolen customer data.

Indicators of Compromise (IOCs)

User-Agent Strings

• python-requests/2.32.4
• Salesforce-Multi-Org-Fetcher/1.0
• Python/3.11 aiohttp/3.12.15

IP Addresses

• 154.41.95.2
• 176.65.149.100
• 179.43.159.198
• 185.130.47.58
• 185.207.107.130
• 185.220.101.133
• 185.220.101.143
• 185.220.101.164
• 185.220.101.167
• 185.220.101.169
• 185.220.101.180
• 185.220.101.185
• 185.220.101.33
• 192.42.116.179
• 192.42.116.20
• 194.15.36.117
• 195.47.238.178
• 195.47.238.83
• 208.68.36.90
• 44.215.108.109

Attacker Queries (sample from Salesforce logs):

SELECT Id, Description, Subject, Comments
FROM Case
WHERE CreatedDate >= : x
ORDER BY CreatedDate DESC NULLS FIRST
LIMIT 2000;

SELECT Id
FROM Case
WHERE SuppliedEmail LIKE : x
LIMIT 1000;

Tactics, Techniques, and Procedures (TTPs)

Mapped to MITRE ATT&CK:

• Initial Access: Abuse of OAuth token compromise (T1550.001 – stolen application access tokens)
• Execution: Automated Salesforce API queries (T1078.004 – valid cloud accounts)
• Persistence: Used valid OAuth refresh tokens (T1528 – steal app tokens)
• Credential Access: Exfiltrated AWS keys, Snowflake tokens, embedded passwords (T1552 – unsecured credentials)
• Discovery: Queried Salesforce objects (T1087 – account discovery; T1082 – system info discovery)
• Collection & Exfiltration: Structured Salesforce data pulled/exported (T1020, T1041)

Attack Anatomy

• Credential Theft: Obtained Drift OAuth credentials.
• Salesforce API Abuse: Used tokens to impersonate Drift–Salesforce traffic.
• Data Mining: Queried Salesforce objects (cases, accounts, users, opportunities).
• Credential Harvesting: Sought AWS/Snowflake secrets in Salesforce records.
• Stealth Persistence: Activity blended in as legitimate Drift traffic.
• Containment: Drift–Salesforce revoked; integrations with Salesforce, Slack, Pardot disabled.
• Remediation: API key rotation, token revocation, Drift taken offline.

Current Status (as of September 2025)

• Drift offline, undergoing security rebuild
• Salesloft–Salesforce integration paused
• No evidence of compromise in Salesloft core platform
• Customer actions recommended:
  • Rotate Drift API keys
  • Re-authenticate Salesforce connections when restored
  • Monitor logs against provided IOCs

Final Thoughts

This breach underscores the growing risks in SaaS supply chain attacks, where a single compromised integration can ripple across hundreds of organizations. As businesses increasingly rely on interconnected cloud platforms, attackers are exploiting trust relationships to maximize impact.
The Drift incident serves as a stark reminder: OAuth tokens are keys to the kingdom — and their theft can be just as damaging as password leaks.

About iZOOlogic

At iZOOlogic, we specialize in detecting, mitigating, and preventing threats stemming from data breaches, phishing, malware, and supply chain attacks. Our dedicated threat intelligence and incident response teams monitor evolving attack vectors to protect enterprises from targeted campaigns like the Salesloft Drift OAuth compromise. By providing end-to-end digital risk protection, we help organizations stay resilient against cybercriminals seeking to exploit trust in cloud and SaaS ecosystems.