Cybersecurity customers at risk due to Salesloft Drift data breach
In a series of alarming events, a supply chain campaign targeting Salesloft Drift was discovered in August 2025, leading to the compromise of OAuth tokens and the theft of Salesforce data from numerous companies. The affected entities include Qantas Airways, Allianz Life and Farmers Insurance, Adidas, LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co, Cisco, and Workday, among others.
The breach also affected cybersecurity providers Palo Alto Networks, Cloudflare, Zscaler, and potentially Cisco. The ransomware group UNC6040 was identified as the perpetrator, having gained access to Salesforce data of their customers from January to August 2025. This information comes from FBI warnings about UNC6040 and UNC6395 conducting data theft attacks on Salesforce platforms during this period.
Palo Alto Networks reported that attackers could view CRM data and basic support information, but no product or infrastructure accesses were gained. Similarly, Cloudflare confirmed that attackers gained access to support tickets in the Salesforce system, exfiltrating contents of text fields, including credentials customers had stored there. Zscaler also reported compromised Salesforce CRM data, affecting business contact data and header information from support cases, but no attachments or files.
Cisco reported that attackers had access to personal data and user information from Cisco.com accounts, but no confidential or protected information from business customers, no passwords, and no other sensitive data fell into the hands of the attackers.
Google first reported these attacks in June, and numerous data breaches have since been linked to the social engineering methods of the ShinyHunters group. These methods include phishing or voice phishing (vishing) to steal data.
As a reminder of the risks associated with careless third-party integrations, the Salesloft Drift breach serves as a stark warning. It is recommended for customers to monitor advisories, cautious communication, and to rotate secrets immediately, check OAuth integrations, examine Salesforce logs, and strengthen phishing defense.
By August 20, the tokens were revoked, and the Drift app was removed from the Salesforce AppExchange. However, it is important to note that by the end of August, Google confirmed that Drift email tokens were also misused, affecting some Google Workspace accounts in individual cases.
While there do not appear to be any or only minor direct risks at this time, companies, especially customers of the affected providers, should expect targeted phishing campaigns that appear particularly credible due to real customer data. It is crucial to remain vigilant and proactive in protecting sensitive information.
