Threat brief: salesloft drift integration used to compromise salesforce instances

Intel Name: Threat brief: salesloft drift integration used to compromise salesforce instances

Date of Scan: September 3, 2025

Impact: High

Summary:
The team identified threat actor activity exploiting the Salesloft-Drift integration to breach Salesforce instances. From August 8–18, 2025, compromised OAuth credentials were used to exfiltrate sensitive Salesforce data. The actor targeted objects like Account, Contact, Case, and Opportunity, and scanned for credentials post-exfiltration. Salesloft notified impacted customers, revoked tokens, and took swift action to secure and contain the incident.

More Details