Salesloft Restores Salesforce Integration After GitHub & AWS Breach
Salesloft has announced the restoration of its integration with Salesforce following the incident linked to the Drift platform and its associated technologies. As of the evening of September 7, 2025, synchronization between Salesloft and Salesforce has been reinstated. However, before reactivation, a brief data reconciliation will be required — the customer success team will contact affected organizations and guide them through the alignment process, after which connectivity will resume without further delay.
On August 28, external experts were engaged to determine the scope and root cause of the Drift compromise and to verify the degree of isolation between Drift and Salesloft environments. By September 6, investigators confirmed that traces of malicious activity dated back to March–June 2025, during which the intruder accessed Salesloft’s GitHub account, downloaded repository content, added a guest user, and adjusted workflows. Crucially, analysis of Salesloft application logs revealed only limited reconnaissance, with no evidence of escalation.
The primary vector of compromise lay within Drift’s AWS infrastructure, where the attacker obtained OAuth tokens for Drift customer integrations and used them to access data through connected services. In response, teams implemented a broad containment and remediation strategy across both Drift and Salesloft ecosystems. Within Drift, infrastructure, code, and applications were isolated, services suspended, and exposed credentials replaced. Within Salesloft, secrets were rotated, proactive threat-hunting was conducted, and no further indicators of compromise were found; at the same time, defenses were hardened against the techniques leveraged in the intrusion.
A separate stream of work focused on hunting for reconnaissance artifacts — incidents involving potentially compromised credentials or events that could have facilitated evasion of Salesloft’s safeguards. Importantly, technical verification confirmed segmentation between Drift and Salesloft infrastructures, ensuring that system boundaries remained intact. At present, the incident is considered contained, with the investigation now centered on forensic validation of findings.
During the downtime, both Salesloft and Salesforce functioned autonomously without affecting one another. Now that the integration has been restored, the top priorities remain data security and the proper synchronization of accumulated events. Future updates will be communicated via the Salesloft Trust page, and immediate support will be provided through customer service channels.
According to Google’s threat analysis team, the scale of the incident already encompasses hundreds of affected organizations — at least 700 companies have had their Drift OAuth integrations compromised. Analysts recommend treating all Drift-linked connections as potentially exposed to avoid prematurely narrowing the scope of investigation.
Public disclosures have come from executives at Cloudflare, Zscaler, and Palo Alto Networks. In the last six days, Nutanix, Elastic, Cato Networks, Tenable, Rubrik, and Proofpoint have also confirmed impact. Canadian fintech firm Wealthsimple reported unauthorized access to personal data — including IDs, account numbers, Social Security numbers, dates of birth, and contact information — though no financial assets were stolen and the breach was contained within hours.
Most of the compromised data stems from support systems, including ticket content and related attachments. Several companies cautioned that any client-submitted artifacts — such as logs, tokens, and passwords — should be considered compromised. Others clarified that large portions of the exposed data relate to business contacts and Salesforce-linked records: names, corporate email addresses, phone numbers, and geolocation data.
At the industry level, the incident has spotlighted the systemic fragility of “non-human” identifiers. Analysts emphasized the critical gap in securing API tokens and service accounts, which underpin automated platform-to-platform exchanges. As interdependencies grow, the resilience of the entire ecosystem is dictated by its weakest link in the supplier–customer chain.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
