Several well-known cybersecurity companies — Proofpoint, SpyCloud, Tanium, and Tenable — have confirmed that their Salesforce environments were compromised in the recent Salesforce–Salesloft Drift breach, marking another major escalation in the incident’s scope.

The campaign was first disclosed on August 26 by Google’s threat intelligence team, which attributed the attack to a threat actor tracked as UNC6395. The attackers exploited compromised OAuth tokens tied to the third-party AI chatbot Salesloft Drift, using the integration with Salesforce to exfiltrate large amounts of data.

According to Google, the breach exposed highly sensitive information, including AWS access keys, passwords, and Snowflake-related tokens, across hundreds of organizations.

Expanding Impact Beyond Drift Integrations

Initially believed to affect only those using the Drift integration, the campaign was later shown to have a broader reach, compromising other Salesforce customers as well. By August 28, Google revealed that Workspace users were also impacted. Shortly after, firms such as Cloudflare, Palo Alto Networks, and Zscaler disclosed breaches tied to the same incident.

Overall, the attack is now estimated to have affected over 700 organizations.

Details from Impacted Cybersecurity Vendors

• Proofpoint confirmed that attackers accessed its Salesforce tenant through the Drift integration and viewed certain stored information. The company emphasized that there is no evidence of impact on its products, services, or customer-protected data.
• SpyCloud disclosed that standard CRM fields were exposed but stated that consumer data was not compromised. Customers were notified that data related to their business relationship with SpyCloud had been accessed.
• Tanium reported that attackers used the Drift integration to access names, email addresses, phone numbers, and regional data in its Salesforce instance. However, Tanium stressed that the incident was limited to Salesforce data and did not extend to its platform or internal systems.
• Tenable revealed that support case information — such as subject lines, descriptions, and business contact details — was compromised. The company stated it has no evidence of misuse of the stolen data and confirmed that it took immediate action, including rotating credentials, removing the compromised app, and reinforcing security monitoring.

A Supply Chain Breach with Wide-Reaching Consequences

The Salesforce–Salesloft Drift breach highlights the increasing risks tied to third-party integrations within enterprise platforms. With more than 700 organizations believed to be impacted, the incident underscores how a single compromised connection can ripple across industries, exposing sensitive business and security data.

Companies are now urged to review third-party app permissions, rotate credentials regularly, and strengthen monitoring of SaaS environments to mitigate similar supply chain threats.

Source: https://www.securityweek.com/more-cybersecurity-firms-hit-by-salesforce-salesloft-drift-breach