Salesloft on Tuesday announced that it will take Drift temporarily offline “in the very near future,” since multiple companies face a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, which resulted in the mass theft of authentication tokens.
“This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible.”
The company emphasized that its top priority focuses on protecting the integrity and security of its systems and customers’ data. Therefore, it continues working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts.
Meanwhile, the development follows disclosures from Google Threat Intelligence Group (GTIG) and Mandiant, which reported a widespread data theft campaign. The campaign leveraged stolen OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent to breach customers’ Salesforce instances.
“Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application,” the company said last week.
Investigators attributed the activity to a threat cluster dubbed UNC6395 (aka GRUB1). Furthermore, Google told The Hacker News that more than 700 organizations may have experienced impacts.
Initially, researchers believed the exposure only affected Salesloft’s integration with Salesforce. However, new findings revealed that any platform integrated with Drift faces potential compromise. At this stage, investigators still do not know how the threat actors gained initial access to Salesloft Drift.
The incident also triggered Salesforce to temporarily disable all Salesloft integrations with Salesforce as a precautionary measure. In addition, several businesses confirmed being impacted by the breach, including:
“We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks,” Cloudflare said.
“Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations.”
Source: TheHackerNews
Read more at Impreza News