Full Report
Jeffrey Burt reports: The ever-widening series of supply chain attacks on Salesforce instances linked to Salesloft’ Drift app has claimed a number of new victims in recent days, including Cloudflare, Palto Alto Networks, and Zscaler. Cybersecurity firms SpyCloud and PagerDuty also said they were hit by the UNC6395 threat group that exploited a vulnerability in... Source
Analysis Summary
# Incident Report: Salesloft Drift Supply Chain Compromise
## Executive Summary
A supply chain attack orchestrated by the UNC6395 threat group exploited a vulnerability in the **Salesloft Drift OAuth integration** with Salesforce. This allowed attackers to steal sensitive information from the Salesforce instances of hundreds of organizations, including major cybersecurity firms like Cloudflare, Palo Alto Networks, and Zscaler, by using compromised OAuth tokens. The incident was active for several days in August 2025, leading to widespread data theft across customer support and sales workflow systems.
## Incident Details
- **Discovery Date:** Unknown (Timeline suggests active exploitation occurred August 8 through August 18, 2025)
- **Incident Date:** Approximately August 8, 2025, through August 18, 2025
- **Affected Organization (Reported Victims):** Cloudflare, Palo Alto Networks, Zscaler, SpyCloud, PagerDuty, and hundreds of other Salesforce customers relying on Salesloft Drift.
- **Sector:** Information Technology, Cybersecurity Services
- **Geography:** Not explicitly stated, but involves global technology businesses.
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning around August 8, 2025
- **Vector:** Exploitation of compromised OAuth tokens associated with the **Salesloft Drift application** integrated with Salesforce.
- **Details:** UNC6395 targeted Salesforce customers via the access grants provisioned to the Salesloft Drift application, which automates sales workflows.
### Lateral Movement
- **Details:** Once access was achieved via the compromised OAuth tokens, the attacker accessed the victim organization's Salesforce instance (e.g., Cloudflare's instance used for customer support and case management). Lateral movement details within the victim's internal network are not specified, implying the compromise was contained to data accessible via the Salesforce APIs utilizing the token privileges.
### Data Exfiltration/Impact
- **Details:** Sensitive information was stolen from the Salesforce instances of affected organizations. For Cloudflare, this included data from their customer support and case management systems.
### Detection & Response
- **How it was discovered:** The scope and nature of the wide-scale exploitation were documented by Google Threat Intelligence Group (GTIC) starting around August 18, 2025, and publicly reported in early September 2025.
- **Response actions taken:** Victims (like Cloudflare) began responding by reviewing their Salesforce instances and securing customer support data accessed via the integration.
## Attack Methodology (Based on GTIC Reporting)
- **Initial Access:** Compromised OAuth tokens associated with the Salesloft Drift application.
- **Persistence:** Not explicitly detailed, likely relying on the validity of the compromised OAuth tokens during the active window.
- **Privilege Escalation:** Not applicable; access was achieved via legitimate integration permissions granted to the Salesloft Drift app via OAuth.
- **Defense Evasion:** Using legitimate service accounts/tokens for access, minimizing suspicion.
- **Credential Access:** Indirectly achieved by compromising the authorization mechanism (OAuth tokens).
- **Discovery:** Utilizing the permissions granted by the Salesloft Drift integration to discover relevant customer/support data within Salesforce.
- **Lateral Movement:** Movement appears bounded by the scope of the OAuth token within the Salesforce environment.
- **Collection:** Gathering sensitive information destined for exfiltration from Salesforce environments.
- **Exfiltration:** Data theft via the compromised OAuth session.
- **Impact:** Data theft impacting customer support records and sales automation data.
## Impact Assessment
- **Financial:** Not quantified in the source material.
- **Data Breach:** Sensitive information stolen from the Salesforce instances of hundreds of organizations. Data types likely include customer support cases, customer contact information, and internal sales data.
- **Operational:** Operational systems relying on Salesloft Drift integration were potentially compromised or required immediate auditing/re-authentication.
- **Reputational:** Significant reputational impact for Salesloft (as the source of the vulnerable integration) and the affected major cybersecurity vendors whose data was exposed.
## Indicators of Compromise
*Note: Specific IoCs such as IPs/URLs are generally redacted here unless the context implies network-level detection related to the initial compromise vector.*
- **Network indicators:** Evidence correlated with UNC6395 activity accessing Salesforce APIs via Salesloft application permissions.
- **File indicators:** Not specified.
- **Behavioral indicators:** Unauthorized data access/API calls originating from sessions utilizing compromised Salesloft Drift OAuth tokens against Salesforce instances (Aug 8 - Aug 18).
## Response Actions
- **Containment measures:** Victims likely required immediate revocation and re-issuance of Salesforce integration tokens and potentially disabling the Salesloft Drift integration until it could be secured.
- **Eradication steps:** Detailed steps not provided, but would involve auditing all Salesforce access via the affected application token.
- **Recovery actions:** Restoring trust in systems by patching/reconfiguring the integration and notifying affected customers whose data was exposed via support cases.
## Lessons Learned
- **Key takeaways:** Supply chain risk, specifically via third-party integrations leveraging OAuth/API access into critical systems like Salesforce, remains a primary threat vector.
- **What could have been done better:** Salesloft needed stronger security controls protecting the application environment needed to secure their integration tokens, or victims needed stricter security policies limiting the scope of the Drift application's OAuth permissions.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Strictly Scoped OAuth Permissions:** Organizations must audit third-party application integrations (like Salesloft Drift) and restrict necessary API permissions to the absolute minimum required level.
2. **Regular Token Rotation/Auditing:** Implement mandatory rotation schedules for all third-party OAuth tokens accessing core business systems like Salesforce.
3. **Supply Chain Vetting:** Enhanced due diligence on security posture of critical software vendors that possess deep integration access (like Salesloft).
4. **Monitoring API Activity:** Implement stricter monitoring and anomaly detection on high-volume read/write API activity within Salesforce, especially from service accounts or application tokens.