Ethical Hacking News
Salesloft has taken Drift offline amid a widespread supply chain attack that compromised hundreds of organizations worldwide. The attack, attributed to threat cluster UNC6395 (aka GRUB1), leveraged stolen OAuth tokens associated with the Drift AI chat agent to breach customers' Salesforce instances.
Salesloft's AI-powered chatbot platform Drift has been temporarily taken offline due to a supply chain attack that compromised hundreds of organizations worldwide. The attackers targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application, impacting over 700 organizations. Several prominent businesses have confirmed being affected by the breach, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, SpyCloud, Tanium, and Zscaler. The attack was attributed to a threat cluster dubbed UNC6395 (aka GRUB1), which used stolen OAuth tokens to launch targeted attacks against customers across affected organizations.
Salesloft, a marketing software-as-a-service provider, has taken its AI-powered chatbot platform, Drift, temporarily offline in an effort to address a far-reaching supply chain attack that has compromised hundreds of organizations worldwide. The move comes after Google Threat Intelligence Group (GTIG) and Mandiant disclosed a widespread data theft campaign that leveraged stolen OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent to breach customers' Salesforce instances.
According to recent reports, starting as early as August 8, 2025, through at least August 18, 2025, threat actors have targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The incident has been attributed to a threat cluster dubbed UNC6395 (aka GRUB1), which is believed to have impacted more than 700 organizations.
Salesforce has temporarily disabled all Salesloft integrations with its platform as a precautionary measure, and several prominent businesses have confirmed being affected by the breach, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, SpyCloud, Tanium, and Zscaler. These organizations may have had their OAuth tokens compromised, which could be used to launch targeted attacks against customers across the affected companies.
The attackers' modus operandi appears to involve stealing authentication tokens associated with Drift's AI chat agent and using them to breach Salesforce instances. This tactic has been employed by threat actors in a supply chain attack, where a target company is compromised through a third-party vendor or partner. In this case, the threat actors have taken advantage of the Salesloft-Drift integration to access sensitive customer information.
Salesloft's decision to take Drift offline is intended to prevent further compromise and allow the company to comprehensively review its application and build additional resiliency and security measures to return the platform to full functionality. The company has stated that it is working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts.
"This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality," a statement from Salesloft reads. "As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible."
The incident has also prompted Cloudflare to warn that hundreds of organizations were affected through this Drift compromise, suggesting that the threat actor will use this information to launch targeted attacks against customers across the affected organizations.
"We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare said. "Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations."
In light of this attack, it is essential for businesses to review their third-party vendor integrations and implement robust security measures to prevent similar incidents in the future. As supply chain attacks continue to evolve, companies must prioritize vendor risk management, vulnerability assessment, and incident response planning to mitigate potential threats.
Furthermore, the widespread nature of this incident highlights the importance of robust cybersecurity defenses, including identity and access management (IAM) solutions, threat intelligence tools, and incident response plans. These measures can help organizations detect and respond to supply chain attacks more effectively, minimizing the risk of data breaches and reputational damage.
In conclusion, the recent attack on Salesloft's Drift platform serves as a stark reminder of the risks associated with third-party vendor integrations and the need for robust security defenses in today's complex threat landscape. As companies navigate this increasingly complicated cybersecurity environment, it is crucial that they prioritize vendor risk management, incident response planning, and robust IAM solutions to prevent similar incidents in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Salesloft-Takes-Drift-Offline-Amidst-Widespread-Supply-Chain-Attack-Scourge-ehn.shtml
https://thehackernews.com/2025/09/salesloft-takes-drift-offline-after.html
Published: Tue Sep 2 23:57:51 2025 by llama3.2 3B Q4_K_M
