Salesloft, Drift, Breach Timeline: What You Need to Know

A deep dive into the Salesloft Drift breach, its timeline, and the widespread impact on cybersecurity companies. Stay informed on this critical supply chain attack.

The Salesloft Drift breach sent shockwaves through the cybersecurity world. With over 700 organizations affected, understanding the timeline and impact is crucial. Here's a breakdown of what happened.

The Breach: A Timeline of Events

The Salesloft Drift breach is a complex story unfolding over several months. Here's a simplified timeline:

• March 2025: Threat actors compromise Salesloft's GitHub account.
• March - June 2025: Attackers download repository data and conduct reconnaissance on Salesloft and Drift environments.
• August 8-18, 2025: Using stolen OAuth tokens, attackers access and exfiltrate data from customer Salesforce instances.
• August 20, 2025: Salesloft and Salesforce revoke connections between Drift and Salesforce.
• August 26, 2025: Companies announce unauthorized access. Google warns of credential theft.
• August 28, 2025: Salesloft begins investigation with Mandiant.
• September 2-8, 2025: Cybersecurity firms including Palo Alto Networks, Zscaler, Cloudflare, Proofpoint, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks and BugCrowd disclose they were victims.
• September 6, 2025: Salesloft confirms GitHub compromise as the initial attack vector.
• September 8, 2025: Salesforce restores integration with Salesloft (excluding Drift).

Key Insights and Takeaways

The Salesloft Drift breach underscores several critical points:

• Supply Chain Risks: Third-party integrations, especially in SaaS environments, introduce significant risks.
• OAuth Token Security: Stolen OAuth tokens are a powerful attack vector, granting access without triggering typical alerts.
• Importance of Incident Response: Swift action, including isolating infrastructure and rotating credentials, is crucial in containing breaches.
• GitHub as a Target: This incident highlights the growing trend of attackers targeting code repositories like GitHub.

The Impact on Cybersecurity Companies

A particularly alarming aspect of this breach is the number of cybersecurity companies affected, including Cloudflare, Zscaler, Palo Alto Networks and many others. This suggests a deliberate targeting of organizations with access to sensitive data and security infrastructure. While these companies took quick action to mitigate impact on products and services, the potential reputational damage and cost of remediation are substantial.

My Two Cents: A Wake-Up Call

The Salesloft Drift breach serves as a potent reminder of the interconnectedness of the modern SaaS ecosystem. It's no longer enough to focus solely on your own security posture; you must also rigorously assess the security practices of your vendors. Assume compromise and ensure proper segmentation and monitoring are in place. Ignoring the reality of supply chain risk is a recipe for disaster.

Salesforce Restores Salesloft Integration

After investigation, Salesforce has restored integration with the Salesloft platform, while the Drift component remains disabled. The incident highlights the potential fallout of third-party application integrations, particularly with popular tools such as Salesloft and Drift.

What's Next?

The investigation into the Salesloft Drift breach is ongoing. Expect further disclosures and analysis as more details emerge. In the meantime, take this as a learning opportunity to bolster your own security defenses.

So, yeah, maybe double-check those third-party app permissions? Just a thought. Stay safe out there, folks!