Saas Security Blog > Salesloft Drift Breach: What Happened & How to Protect Yourself

Salesloft Drift Breach: What Happened & How to Protect Yourself

Adam Burt |
Sep 04, 2025
Salesloft Drift Breach: What Happened & How to Protect Yourself
6:56
Salesloft Drift Breach: What Happened & How to Protect Yourself

TABLE OF CONTENTS

Looking for ShinyHunters-Salesforce guidance? This is a different group and TTPs, but you can find our dedicated response checklist here: ShinyHunters Salesforce Response Tips.

Updated 09/24/2025 to include FBI Flash advisory and IOCs

A coordinated supply‑chain attack is rippling through enterprise SaaS stacks after attackers weaponized OAuth tokens, associated with the Drift application (owned by Salesloft), to access customer data across multiple cloud platforms via trusted app‑to‑app connections. Salesforce surfaced early because Drift functioned as a connected app there, but Google has warned that all Drift integrations are at risk and confirmed impact to Google Workspace via Drift Email, with detailed indicators and methods published in its analysis

Google attributes the activity to UNC6395 and has released actionable indicators such as user‑agents, IPs, and characteristic SOQL reconnaissance and credential‑hunting patterns. Defenders should hunt and contain activity anywhere Drift has had OAuth access. 

In addition to Google’s attribution to UNC6395, Cloudflare’s threat intelligence team, Cloudforce One, has since attributed the campaign to the hacking group GRUB1, based on their investigation of the incident.

Multiple organizations have now publicly confirmed downstream exposure via this vector.

Key facts

  • Vector: OAuth tokens tied to the Salesloft Drift app
  • Attribution: UNC6395 (per Google), Cloudflare’s Cloudforce One subsequently attributed the campaign to GRUB1
  • Timeline: 
    • August 8–18, 2025: Active exploitation window
    • August 19–20, 2025: Revocations initiated per vendor notices
    • Late Aug–Sept, 2025: Ongoing public disclosures by affected organizations
  • Scope: Hundreds of organizations potentially affected; multiple major firms have publicly confirmed impact
  • Status: Salesloft initiated revocation/reset actions for affected integrations

Organizations Affected by Salesloft Drift Breaches

Investigators estimate the breach impacted more than 700 organizations worldwide, making it one of the largest SaaS supply-chain incidents to date. 

Here is a short list of some of those organizations:

Need help? Skip to Vorlon for SaaS-to-SaaS OAuth threats.

 

FBI warning on expanded threat activity

The threat landscape has expanded beyond the Salesloft Drift incident. On September 14, 2025, the FBI issued a Flash Report warning organizations about two additional threat clusters, UNC6040 and UNC6395, actively targeting Salesforce environments through different attack vectors.

UNC6040 has been conducting social engineering attacks, tricking employees into connecting malicious OAuth applications disguised as legitimate tools like "My Ticket Portal." Meanwhile, UNC6395 exploited stolen Salesloft Drift tokens in a separate campaign during August 8-18, 2025, targeting support case data containing AWS keys, passwords, and authentication credentials.

These campaigns have impacted major organizations across multiple industries, including technology companies like Google, Cisco, and Cloudflare, as well as luxury brands and financial institutions.

How to use the FBI's IOCs

Organizations should immediately implement the FBI-provided indicators of compromise:

For IP addresses:
Add the flagged IPs to Salesforce identity IP restrictions and block them at network firewalls. Review logs for any past traffic from these IPs and rotate credentials for any associated accounts or identities.

For User Agent strings:
Hunt for traffic matching suspicious User Agents like "Salesforce-Multi-Org-Fetcher/1.0" and "python-requests/2.32.4". Don't block these outright as they're used legitimately, but investigate any accounts using them and correlate with IP indicators for suspicious activity patterns.

For URLs/links:
Block malicious URLs at firewalls or WAF, but only using the complete URL path to avoid disrupting legitimate traffic.

The convergence of multiple sophisticated attack campaigns targeting SaaS platforms underscores that organizations face coordinated, multi-vector threats requiring comprehensive ecosystem monitoring rather than point-solution responses.

 

Salesloft Drift Breach Technical Analysis

This section distills the attacker playbook into concrete, hunt-ready signals drawn from public reporting. For full context and IOCs, see Google’s analysis and corroborating coverage in the security press.

TTPs (MITRE-style mapping and concrete examples)

Initial access

  • The actor leveraged valid OAuth tokens (Drift connected app) to call Salesforce and Google Workspace APIs, which can bypass traditional controls because access appears authorized.
  • No evidence of password compromise needed; tokens provided authorized API access

Discovery and enumeration

  • SOQL reconnaissance across core objects to size data and map environment:
    • SELECT COUNT() FROM Account/Opportunity/User/Case
    • Time-bounded counts (e.g., LAST_N_DAYS) to triage recent data
  • Identification of high-value objects and fields

Collection and credential hunting

  • Targeted queries for sensitive user/record fields and credentials/secrets embedded in cases/notes:
    • Search terms/patterns: AKIA (AWS), “secret,” “password,” “snowflake”
  • Bulk exports within API limits; distributed/burst requests to avoid rate-limit flags

Defense evasion and operational security

  • Use of Tor and cloud/VPS providers (e.g., Hetzner) for IP rotation
  • Automation-oriented user-agents (e.g., python-requests; Salesforce scraper identifiers)
  • Deletion of query jobs to obscure reconnaissance (logs still retained for audit)

Command and control / exfiltration

  • API-driven exfiltration through legitimate endpoints (Salesforce APIs; Gmail/Workspace APIs via Drift Email integration)
  • For examples and IoCs, see Google Threat Intelligence.

Indicators of compromise (hunt suggestions)

Network and infrastructure

  • Source IPs of Tor exit nodes
  • Cloud/VPS providers and hosting ranges commonly seen in this activity (e.g., Hetzner; plus cloud providers like DigitalOcean, AWS as observed in reporting)
  • Off-hours access patterns relative to normal app behavior

Application-layer signals

  • User-agents:
    • Salesforce-Multi-Org-Fetcher/1.0
    • python-requests/2.32.4
    • Python/3.11 aiohttp/3.12.15
  • Reconnaissance SOQL:
    • SELECT COUNT() FROM Account/Opportunity/User/Case
    • Time-bounded variants (e.g., LAST_N_DAYS) across multiple objects in sequence
  • Credential-hunting queries (AKIA, “secret,” “password,” “snowflake”)
  • Sudden spikes in API call volume or bulk-query jobs; attempts to delete query jobs

What to do now (checklist)

Hunt: Apply Google’s IoCs across your Salesforce, Google Workspace, and any other platforms where Drift had access.

Contain: Disconnect/reauthorize Drift integrations; revoke tokens; rotate exposed secrets.

Govern: Inventory connected apps and scopes; enforce IP restrictions; shorten token lifetimes and require re-consent on material changes.

Monitor: Baseline Drift (and all connected apps) and alert on deviations; log and preserve evidence for follow‑up investigations.

Vorlon for SaaS-to-SaaS OAuth threats

When attackers hide behind “legitimate” OAuth tokens, most controls can’t tell normal integration traffic from active compromise. Vorlon can. Our platform continuously baselines every connected app’s behavior across your SaaS estate and correlates who is calling what, from where, with which user-agent, and at what volume. The moment Drift-like activity deviates from expected patterns Vorlon raises high-fidelity alerts, links the activity to the exact identity and connected app, and enables one-click containment.

In practice, that means:

  • Detect fast: Anomaly signals (user-agent, IP reputation, query patterns, traffic spikes) trigger alerts within minutes.
  • Investigate with context: We show the precise queries, identities, tokens, and sources involved, so responders don’t hunt blindly across logs.
  • Remediate immediately: Security teams can revoke the compromised connected app, disable implicated users, and terminate active sessions from the same workflow, cutting off exfiltration while preserving evidence.
  • Prevent recurrence: Vorlon continuously monitors connected-app permissions, captures IP restriction settings to help admins enforce access controls, and flags scope changes or over-privilege before they become attack paths.

Bottom line: OAuth abuse looks “authorized” to most tools. Vorlon makes it obvious and stoppable.

Ready to see it in action?

Get a live demo to see how Vorlon detects Drift‑style OAuth abuse in minutes, correlates activity to the exact app and identity, and enables one‑click containment across your SaaS ecosystem.

FAQs

Q: What is the Salesloft Drift breach?

A: Attackers compromised Salesloft's GitHub repositories in March 2025 and weaponized OAuth tokens from the Drift application to access customer data across multiple platforms. The active exploitation window was August 8-18, 2025, affecting an estimated 700+ organizations worldwide.

Q: How did the attackers gain access?

A: They used legitimate OAuth tokens tied to Drift integrations, which provided authorized API access to Salesforce, Google Workspace, and other connected platforms. This bypassed traditional security controls because the access appeared legitimate.

Q: Which organizations were affected?

A: Major technology companies including Salesforce, Google, Zscaler, Palo Alto Networks, Cloudflare, PagerDuty, CyberArk, Proofpoint, and many others across multiple industries.

Q: What is the FBI FLASH warning about?

A: On September 14, 2025, the FBI issued a Flash Report about two threat clusters (UNC6040 and UNC6395) targeting Salesforce environments through different attack methods beyond the Drift incident.

Q: What data were attackers looking for?

A: Attackers targeted customer contact information, support case data containing embedded credentials (AWS keys, passwords, Snowflake tokens), and performed reconnaissance using SOQL queries to map environments and identify high-value data.

Q: What are the key indicators of compromise (IoCs)?

A: The FBI provided specific indicators including malicious IP addresses, suspicious user agent strings like "Salesforce-Multi-Org-Fetcher/1.0" and "python-requests/2.32.4," and characteristic SOQL query patterns searching for credentials.

Q: How should I use these IoCs?

A:

  • IP addresses: Block at firewalls and add to Salesforce IP restrictions; rotate credentials for any associated activity

  • User agents: Hunt for these patterns but don't block (they're used legitimately); correlate with other suspicious indicators

  • URLs: Block complete malicious URLs at firewall/WAF level

Q: What should I do immediately?

A: Hunt for IoCs across all platforms where Drift had access, disconnect/reauthorize Drift integrations, revoke OAuth tokens, rotate exposed credentials, and inventory all connected applications.

Q: How do I know if my organization was compromised?

A: Look for unusual SOQL queries (especially bulk exports or credential searches), traffic from FBI-flagged IP addresses, suspicious user agents, and OAuth applications resembling IT support tools.

Q: Should I disconnect all third-party integrations?

A: Audit all integrations first. Disconnect suspicious or unnecessary ones, but maintain business-critical integrations with enhanced monitoring and shortened token lifetimes.

Q: How can we prevent similar OAuth-based attacks?

A: Implement continuous monitoring of connected applications, enforce IP restrictions, baseline normal behavior patterns, require re-consent for material permission changes, and deploy SaaS ecosystem security platforms that can detect OAuth abuse.

Q: Why couldn't traditional security tools detect this?

A: Traditional tools focus on infrastructure threats and can't distinguish between legitimate OAuth application behavior and malicious abuse of the same tokens and permissions. The activity appeared as authorized business operations.

Q: How does Vorlon help with OAuth threats?

A: Vorlon continuously baselines every connected app's behavior and correlates activity patterns. When OAuth abuse occurs, Vorlon detects anomalies (user-agents, IP reputation, query patterns), provides investigation context, and enables one-click remediation while preserving evidence.

Looking for ShinyHunters-Salesforce guidance? This is a different group and TTPs, but you can find our dedicated response checklist here: ShinyHunters Salesforce Response Tips.

 

About the author

Adam Burt
Adam Burt
Follow me on LinkedIn
Adam Burt is the Head of Research at Vorlon, bringing over 24 years of experience in cybersecurity across malware analysis, digital forensics, reverse engineering, programming, and security architecture. Before joining Vorlon, he led a team of ...

Blog tags

Related blogs

View all blogs
What the Salesloft Drift breaches reveal about 4th-party risk
Security Insights

What the Salesloft Drift breaches reveal about 4th-party risk

4 min read

Read More
Vorlon Brings SaaS and AI Security to Hou.Sec.Con 2025
News

Vorlon Brings SaaS and AI Security to Hou.Sec.Con 2025

2 min read

Read More
Deloitte Features Vorlon's GenAI-Enabled Security Solution
News

Deloitte Features Vorlon's GenAI-Enabled Security Solution

4 min read

Read More

Featured resources

What Is Non-Human Identity? NHI Security Threats and Management
Identity Security

What Is Non-Human Identity? NHI Security Threats and Management

Non-human identities (NHIs) are digital entities that authenticate and authorize machines, apps, cloud workloads, and automated IT processes.

Read more
The API Security Checklist: What to Review Before Integrating a Third-Party API
API Security

The API Security Checklist: What to Review Before Integrating a Third-Party API

Ensure API security with our detailed checklist. Discover crucial steps to protect your data and ensure safe third-party API integrations.

Read more
What Is SSPM? A Guide to SaaS Security Posture Management
SaaS Security Posture Management

What Is SSPM? A Guide to SaaS Security Posture Management

SaaS Security Posture Management (SSPM) is a method for securing Software as a Service (SaaS) applications and data.

Read more

Get Proactive Security for Your SaaS Ecosystem

Book a Demo

Sign up for industry insights and Vorlon news

Start here

Product

Company

Let's Connect

soc-type-2aws logo croppedlatio innovators on blackFS-ISAC-Seal_Affiliate_onblack
© 2025 Vorlon Inc. All rights reserved.