An attacker targeted Salesforce in a widespread data theft through Salesloft Drift, a cloud-based and AI-powered sales engagement platform that allows sales teams to integrate with Salesforce instances. The theft is believed to have begun as early as Aug. 8 until at least Aug. 18.
Salesforce Drift announced that it is engaging with cybersecurity leaders like Mandiant and Coalition to help the investigation, support containment, and assist with remediation. The company recommended that Drift customers revoke the existing API key for connections to third-party applications and reconnect using a new key.
The threat actor reportedly used OAuth credentials, which lets users give permission to an application to interact with another application on behalf of them without giving a password, to pull data from Salesforce customer instances that include cases, accounts, users and opportunities.
Allen Tsai, the senior director for corporate communications at Salesforce, told IT Brew in an email that all official statements from the company in relation to the incident can be found on a status website.
“Per our last update, Salesforce has disabled all integrations between Salesforce and Salesloft technologies including the Drift app; organizations will not be able to connect to Salesforce via any Salesloft apps until further notice,” Tsai said. “Please note this issue did not stem from a vulnerability within the core Salesforce platform.”
What happened? A report from the Google Threat Intelligence Group (GTIG) examining the data theft found that the threat actor exported large volumes of data from various Salesforce instances through a systematic approach.
“GTIG assesses the primary intent of the threat actor is to harvest credentials,” the report stated. “After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments.”
On August 25, Salesloft Drift released a statement asserting that there is no evidence of ongoing malicious activity related to the incident, but saw in initial findings that the attacker was attempting to steal credentials such as Amazon Web Services access keys, passwords, and Snowflake-related access tokens.
Salesforce, according to its Drift website, detected a security issue in the application on Aug. 20. The company reported that it “proactively revoked connections between Drift and Salesforce” and asked “Drift admins to re-authenticate their Salesforce connection.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Drift customers that have not integrated with Salesforce are not impacted by this security issue, the company said. GTIG, however, said in an update on Aug. 28 that new information showed the scope of the compromise may not be isolated to the Salesforce integration with Salesloft Drift “and impacts other integrations.”
What should we do? In addition to Salesloft Drift’s most recent recommendations for customers affected or potentially affected, GTIG recommended that organizations that may have been impacted should look for sensitive information in Salesforce objects and take action to revoke API keys, rotate credentials, and further investigate to see if the threat actor abused any secrets.
“Organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps,” GTIG said.
The law office of Lowenstein Sandler put out a client alert on Aug. 27 to share that potentially impacted customers could contact their IT team to find out if their company has a Salesforce integration with Drift’s application.
“Given the prevalence of AI integrations, we expect to see more breaches regarding vendors using AI-based technologies,” the release states.
Is Google impacted? GTIG also reported that there has been no evidence to indicate any impact to Google Cloud customers, but advised Salesloft Drift customers to review Salesforce objects for Google Cloud Platform account keys.
Salesforce and Google are currently in a partnership that offers combined services that address data and AI assistance.
Google did, however, put out a warning in late July that Gmail attacks increased by 84% for email-delivered infostealers in 2024, a trend that “has only intensified in 2025.”
Google confirmed to Forbes that attackers are accessing Gmail accounts, helped significantly by compromised passwords. The company warned that most Gmail users have to change passwords to secure their accounts, but told Forbes it had not been affected by the Salesforce breach.
Salesloft Drift did not respond to a request for comment at the time of publication.