{"id":125841,"date":"2025-09-11T15:01:15","date_gmt":"2025-09-11T15:01:15","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=125841"},"modified":"2025-09-12T16:00:45","modified_gmt":"2025-09-12T16:00:45","slug":"salesloft-drift-data-breaches","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/","title":{"rendered":"Lessons from Salesforce\/Salesloft Drift Data Breaches &#8211; Detailed Case Study"},"content":{"rendered":"\n<p>The Salesloft Drift data breaches of August 2025 stand as one of the most significant supply chain attacks in <a href=\"https:\/\/cybersecuritynews.com\/best-saas-security-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">SaaS<\/a> history, demonstrating how a single compromised integration can cascade into widespread organizational exposure.<\/p>\n\n\n\n<p>This sophisticated campaign, staged by the threat actor <a href=\"https:\/\/cybersecuritynews.com\/salesloft-drift-cyberattack\/\" target=\"_blank\" rel=\"noreferrer noopener\">UNC6395<\/a>, exploited OAuth token vulnerabilities to access sensitive data from over 700 organizations, including major cybersecurity vendors like Cloudflare, Palo Alto Networks, and Zscaler.<\/p>\n\n\n\n<p>The incident reveals critical weaknesses in third-party application security and offers valuable lessons for strengthening enterprise cyber resilience.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEia1gREYqpY0kanAUXx10tlvUzE7qf-iuviT36Iyi_bE31Oniq_uJpBaz8ibRWtDMcXn9dOkyWDOOLtStoXJBrVqYG4uL18VINBWQlTh6AyCOUI_rm8NUsNQCMiKauCgHmBe29NJ3G9y6FYvts4NBIzvfrCyBAxLdxJV2zGirdVkDZHzOvoW9bbAw8c9qN6\/s16000\/Lessons%20Learned%20from%20Salesforce_Salesloft%20Drift%20Data%20Breaches%20-%20Detailed%20Case%20Study%20.webp\" alt=\"Salesloft Drift breach attack timeline from GitHub compromise to data exfiltration\"\/><figcaption class=\"wp-element-caption\">Salesloft Drift breach attack timeline from GitHub compromise to data exfiltration<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"initial-compromise-the-github-account-breach\"><strong>Initial Compromise: The GitHub Account Breach<\/strong><\/h2>\n\n\n\n<p>The attack timeline reveals a methodical approach that began months before the public disclosure. According to Mandiant&#8217;s investigation, the threat actor UNC6395 first gained access to <a href=\"https:\/\/cybersecuritynews.com\/salesloft-drift-cyberattack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Salesloft&#8217;s GitHub account<\/a> in March 2025, maintaining persistent access through June 2025.<\/p>\n\n\n\n<p>This initial compromise represents a critical security failure that went undetected for three months.<a href=\"https:\/\/thehackernews.com\/2025\/09\/github-account-compromise-led-to.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p>During this extended access period, the attackers demonstrated sophisticated operational security by conducting reconnaissance activities across both the <a href=\"https:\/\/cybersecuritynews.com\/salesloft-drift-hacked\/\" target=\"_blank\" rel=\"noreferrer noopener\">Salesloft and Drift<\/a> application environments.<\/p>\n\n\n\n<p>They systematically downloaded content from multiple repositories, added guest users, and established workflows that would later facilitate the mass data exfiltration campaign.<\/p>\n\n\n\n<p>This extended time allowed the threat actors to thoroughly understand the target environment and identify the most valuable attack vectors.<a href=\"https:\/\/thehackernews.com\/2025\/09\/github-account-compromise-led-to.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p>The GitHub compromise highlights a fundamental challenge in modern software development: the security of code repositories and development infrastructure. <\/p>\n\n\n\n<p>Salesloft has not disclosed how the initial GitHub access was obtained, but this gap in transparency has drawn criticism from security analysts who emphasize the importance of understanding root causes for effective remediation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj5oFK-aoVCbQIdezy6HU6nxpEqWeXmX-9r1BMiwh1prCflFru_Q2YpyzbaGM6y7CI-kPiMvD-4e_KbiUvPJzvrenf4zW_ccs84nLv-YN3Pq-JrUBX_dQZi0u7sx04SUGOEFccee2DPs6i-PUNvrhZGv8zQw93JZy6Xy_pXQdC4Vkzp-DkzvvJqxF3Vds2S\/s16000\/Lessons%20Learned%20from%20Salesforce_Salesloft%20Drift%20Data%20Breaches%20-%20Detailed%20Case%20Study%20q.webp\" alt=\"\"\/><figcaption class=\"wp-element-caption\">OAuth token compromise attack flow diagram<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"drift-platform-exploitation-and-oauth-token-theft\"><strong>Drift Platform Exploitation and OAuth Token Theft<\/strong><\/h2>\n\n\n\n<p>Following their reconnaissance phase, the attackers pivoted to exploit Drift&#8217;s Amazon Web Services (AWS) environment, where they successfully obtained <a href=\"https:\/\/cybersecuritynews.com\/oauth-2-0\/\" target=\"_blank\" rel=\"noreferrer noopener\">OAuth tokens<\/a> for Drift customers&#8217; technology integrations.<\/p>\n\n\n\n<p>This represents the critical supply chain vulnerability that enabled the widespread attack across hundreds of organizations.<a href=\"https:\/\/thehackernews.com\/2025\/09\/github-account-compromise-led-to.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p>OAuth tokens serve as digital keys that authorize applications to access user data across different platforms without requiring password authentication.<\/p>\n\n\n\n<p>In the case of Drift, these tokens enabled the chatbot platform to integrate with customer systems like Salesforce, Google Workspace, and other business applications.<\/p>\n\n\n\n<p>By stealing these tokens, UNC6395 effectively inherited the same trusted access privileges, allowing it to bypass traditional security controls.<a href=\"https:\/\/astrix.security\/learn\/blog\/critical-update-astrix-research-team-discovers-unc6395-oauth-compromise-spanning-salesforce-google-workspace-and-aws\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p>The technical sophistication of this phase is evident in the attackers&#8217; ability to access AWS-hosted OAuth credentials and extract them without detection.<\/p>\n\n\n\n<p>This suggests a deep understanding of cloud infrastructure and token management systems, characteristic of advanced persistent threat (APT) groups.<a href=\"https:\/\/appomni.com\/blog\/drift-breach-salesforce-unc6395-saas-prevention\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p>Between August 8 and 18, 2025, UNC6395 launched a systematic data exfiltration campaign targeting <a href=\"https:\/\/cybersecuritynews.com\/salesforce-releases-forensic-investigation-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">Salesforce instances<\/a> connected through Drift integrations. The attackers employed sophisticated techniques to maximize data theft while attempting to evade detection.<\/p>\n\n\n\n<p>The primary objective of the campaign was credential harvesting rather than immediate data monetization. UNC6395 systematically searched through exfiltrated data for valuable secrets, including:<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/astrix.security\/learn\/blog\/critical-update-astrix-research-team-discovers-unc6395-oauth-compromise-spanning-salesforce-google-workspace-and-aws\/\"><\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon Web Services (AWS) access keys (AKIA format)<\/li>\n\n\n\n<li>Snowflake-related access tokens<\/li>\n\n\n\n<li>VPN credentials and configuration information<\/li>\n\n\n\n<li>Generic passwords and authentication strings<\/li>\n\n\n\n<li>API keys and service account credentials<a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/data-theft-salesforce-instances-via-salesloft-drift\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<p>This focus on credential harvesting indicates a strategic approach aimed at enabling secondary attacks and lateral movement across victim environments.<\/p>\n\n\n\n<p>The stolen credentials could provide attackers with persistent access to cloud infrastructure and business-critical systems far beyond the initial Salesforce breach.<a href=\"https:\/\/firecompass.com\/weekly-cybersecurity-intelligence-report-cyber-threats-breaches-02-sep-08-sep\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"companies-affected-and-impact-assessment\"><strong>Companies Affected<\/strong><\/h2>\n\n\n\n<p>The breach impacted a staggering number of organizations, with Google Threat Intelligence Group confirming that hundreds of companies were affected.<\/p>\n\n\n\n<p>Among the publicly disclosed victims are several prominent cybersecurity vendors, highlighting the indiscriminate nature of supply chain attacks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/cybersecuritynews.com\/cloudflare-confirms-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cloudflare<\/a><\/strong>: Confirmed unauthorized access to Salesforce case objects between August 12-17, 2025, with 104 API tokens discovered and rotated<a href=\"https:\/\/blog.cloudflare.com\/response-to-salesloft-drift-incident\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/cybersecuritynews.com\/palo-alto-networks-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Palo Alto Networks<\/a><\/strong>: Disclosed compromise of CRM platform containing business contact information and basic case data<a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2025\/09\/salesforce-third-party-application-incident-response\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/cybersecuritynews.com\/zscaler-confirms-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Zscaler<\/a><\/strong>: Acknowledged impact on Salesforce data, including customer licensing and commercial information<a href=\"https:\/\/firecompass.com\/weekly-cybersecurity-intelligence-report-cyber-threats-breaches-02-sep-08-sep\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/cybersecuritynews.com\/tenable-confirms-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tenable<\/a><\/strong>: Reported exposure of customer support case information and business contact details<a href=\"https:\/\/www.tenable.com\/blog\/tenable-response-to-salesforce-and-salesloft-drift-incident\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong>Proofpoint<\/strong>: Confirmed as affected in multiple security advisories<a href=\"https:\/\/zettawise.in\/blog\/article\/salesloft-confirms-hacker-gained-access-to-its-systems-in-march-via-a-compromised-github-account\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/cybersecuritynews.com\/dynatrace-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Dynatrace<\/a><\/strong>: Reported limited exposure of business contact information with no impact to core products<a href=\"https:\/\/www.dynatrace.com\/news\/blog\/salesloft-drift-incident-dynatraces-response\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/cybersecuritynews.com\/qualys-confirms-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Qualys<\/a><\/strong>: Confirmed limited Salesforce access with no impact to production environments<a href=\"https:\/\/blog.qualys.com\/misc\/2025\/09\/06\/salesloft-drift-supply-chain-incident\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong>CyberArk<\/strong>: Disclosed compromise of CRM data while emphasizing no customer credential exposure<a href=\"https:\/\/www.cyberark.com\/resources\/blog\/salesloft-drift-incident-overview-and-cyberarks-response\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li><strong>Wealthsimple<\/strong>: Reported more extensive impact, including customer government IDs and personal information.<a href=\"https:\/\/zettawise.in\/blog\/article\/salesloft-confirms-hacker-gained-access-to-its-systems-in-march-via-a-compromised-github-account\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"root-cause-analysis-systemic-security-failures\"><strong>Root Cause Analysis: Systemic Security Failures<\/strong><\/h2>\n\n\n\n<p>The Salesloft Drift breach reveals multiple interconnected security failures that combined to create a catastrophic <a href=\"https:\/\/cybersecuritynews.com\/tag\/supply-chain-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">supply chain vulnerability<\/a>:<\/p>\n\n\n\n<p>The initial GitHub compromise suggests inadequate security controls around code repositories and development infrastructure. Key failures include:<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2025\/09\/github-account-compromise-led-to.html\"><\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Insufficient access controls and monitoring for critical development accounts<\/li>\n\n\n\n<li>Lack of detection capabilities for unauthorized repository access<\/li>\n\n\n\n<li>Extended dwell time (3+ months) without detection of malicious activity<\/li>\n<\/ul>\n\n\n\n<p>The ability of attackers to access and steal OAuth tokens from AWS environments indicates significant shortcomings in credential management:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inadequate protection of high-value authentication tokens<\/li>\n\n\n\n<li>Insufficient segmentation between development and production environments<\/li>\n\n\n\n<li>Lack of anomaly detection for OAuth token usage patterns<a href=\"https:\/\/astrix.security\/learn\/blog\/critical-update-astrix-research-team-discovers-unc6395-oauth-compromise-spanning-salesforce-google-workspace-and-aws\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<p>Organizations demonstrated insufficient oversight of third-party integrations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Over-permissive OAuth scopes granting excessive access to integrated applications<\/li>\n\n\n\n<li>Inadequate monitoring of third-party application behavior<\/li>\n\n\n\n<li>Lack of regular security assessments for connected applications<a href=\"https:\/\/socradar.io\/salesloft-drift-breach-everything-you-need-to-know\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Detection and Response Gaps<\/strong><\/h3>\n\n\n\n<p>The extended duration of malicious activity (10+ days) reveals detection and response deficiencies:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Insufficient real-time monitoring of API usage patterns<\/li>\n\n\n\n<li>Delayed recognition of anomalous bulk data extraction activities<\/li>\n\n\n\n<li>Inadequate threat intelligence sharing between vendors and customers<a href=\"https:\/\/blog.cloudflare.com\/response-to-salesloft-drift-incident\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"comprehensive-mitigation-strategies\"><strong>Mitigation Strategies<\/strong><\/h2>\n\n\n\n<p>Based on the lessons learned from this incident, organizations should implement comprehensive mitigation strategies addressing both immediate and long-term security improvements:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Immediate Response Actions<\/strong><\/h3>\n\n\n\n<p><strong>OAuth Token Security Hardening<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement sender-constrained access tokens using mutual TLS (mTLS) or DPoP (Demonstrating Proof-of-Possession)<a href=\"https:\/\/workos.com\/blog\/oauth-best-practices\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n\n\n\n<li>Establish refresh token rotation policies for public clients<\/li>\n\n\n\n<li>Deploy real-time monitoring for OAuth token usage anomalies<a href=\"https:\/\/auth0.com\/docs\/secure\/tokens\/token-best-practices\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Third-Party Integration Review<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct comprehensive audits of all connected applications and their permissions<\/li>\n\n\n\n<li>Implement least-privilege principles for OAuth scopes and API access<\/li>\n\n\n\n<li>Establish regular security assessments for critical integrations<a href=\"https:\/\/www.cyberdefensemagazine.com\/software-supply-chain-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Enhanced Monitoring and Detection<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy advanced analytics for API usage patterns and bulk data operations<\/li>\n\n\n\n<li>Implement real-time alerting for suspicious SOQL query activities<\/li>\n\n\n\n<li>Establish baseline behavioral profiles for legitimate application usage<a href=\"https:\/\/www.mitiga.io\/blog\/how-threat-actors-used-salesforce-data-loader-for-covert-api-exfiltration\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Strategic Security Improvements<\/strong><\/h3>\n\n\n\n<p><strong>Supply Chain Risk Management<\/strong>:<br>Organizations must implement comprehensive third-party risk management programs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct rigorous vendor security assessments before integration<\/li>\n\n\n\n<li>Establish continuous monitoring of vendor security postures<\/li>\n\n\n\n<li>Implement contractual security requirements and SLAs<a href=\"https:\/\/www.cyberdefensemagazine.com\/software-supply-chain-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Zero Trust Architecture Implementation<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply <a href=\"https:\/\/cybersecuritynews.com\/tag\/zero-trust\/\" target=\"_blank\" rel=\"noreferrer noopener\">zero-trust<\/a> principles to all third-party integrations<\/li>\n\n\n\n<li>Implement continuous verification and least-privilege access controls<\/li>\n\n\n\n<li>Deploy network segmentation to limit lateral movement potential<a href=\"https:\/\/www.vectra.ai\/topics\/supply-chain-attack\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Development Security Enhancement<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement comprehensive security controls for code repositories<\/li>\n\n\n\n<li>Deploy real-time monitoring for development environment access<\/li>\n\n\n\n<li>Establish secure software development lifecycle (SDLC) practices<a href=\"https:\/\/www.indusface.com\/learning\/what-is-a-supply-chain-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/li>\n<\/ul>\n\n\n\n<p>The incident demonstrates how sophisticated threat actors can exploit trusted relationships to achieve widespread impact across hundreds of organizations simultaneously.<a href=\"https:\/\/firecompass.com\/weekly-cybersecurity-intelligence-report-cyber-threats-breaches-02-sep-08-sep\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p>As supply chain attacks continue to evolve in sophistication and scale, the lessons learned from this breach will be crucial for organizations seeking to protect themselves against future threats.<\/p>\n\n\n\n<p>The key is not just to implement individual security controls, but to build comprehensive, integrated security programs that can adapt to the dynamic nature of modern cyber threats.<\/p>\n\n\n\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 89%,rgb(169,184,195) 100%)\"><strong>Find this Story Interesting! Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,&nbsp;<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,&nbsp;and&nbsp;<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>&nbsp;to Get More Instant Updates<\/strong>.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.vectra.ai\/topics\/supply-chain-attack\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Salesloft Drift data breaches of August 2025 stand as one of the most significant supply chain attacks in SaaS history, demonstrating how a single compromised integration can cascade into widespread organizational exposure. This sophisticated campaign, staged by the threat actor UNC6395, exploited OAuth token vulnerabilities to access sensitive data from over 700 organizations, including [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":125848,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp","fifu_image_alt":"Salesloft Drift Data Breaches","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,842],"tags":[149,151],"class_list":{"0":"post-125841","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-security-news","8":"category-cyber-security-research","9":"tag-cyber-security","10":"tag-cyber-security-news"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Lessons From Salesforce\/Salesloft Drift Data Breaches - Detailed Case Study<\/title>\n<meta name=\"description\" content=\"The Salesloft Drift data breaches of August 2025 stands as one of the most significant supply chain attacks in SaaS history, demonstrating how a single compromised integration can cascade into widespread organizational exposure.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lessons from Salesforce\/Salesloft Drift Data Breaches - Detailed Case Study\" \/>\n<meta property=\"og:description\" content=\"The Salesloft Drift data breaches of August 2025 stands as one of the most significant supply chain attacks in SaaS history, demonstrating how a single compromised integration can cascade into widespread organizational exposure.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/guruba008\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-11T15:01:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-12T16:00:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp\" \/><meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Guru Baran\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp\" \/>\n<meta name=\"twitter:creator\" content=\"@guruba008\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guru Baran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Lessons From Salesforce\/Salesloft Drift Data Breaches - Detailed Case Study","description":"The Salesloft Drift data breaches of August 2025 stands as one of the most significant supply chain attacks in SaaS history, demonstrating how a single compromised integration can cascade into widespread organizational exposure.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/","og_locale":"en_US","og_type":"article","og_title":"Lessons from Salesforce\/Salesloft Drift Data Breaches - Detailed Case Study","og_description":"The Salesloft Drift data breaches of August 2025 stands as one of the most significant supply chain attacks in SaaS history, demonstrating how a single compromised integration can cascade into widespread organizational exposure.","og_url":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_author":"https:\/\/www.facebook.com\/guruba008","article_published_time":"2025-09-11T15:01:15+00:00","article_modified_time":"2025-09-12T16:00:45+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp","type":"","width":"","height":""},{"width":1600,"height":900,"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp","type":"image\/jpeg"}],"author":"Guru Baran","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp","twitter_creator":"@guruba008","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Guru Baran","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/"},"author":{"name":"Guru Baran","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026"},"headline":"Lessons from Salesforce\/Salesloft Drift Data Breaches &#8211; Detailed Case Study","datePublished":"2025-09-11T15:01:15+00:00","dateModified":"2025-09-12T16:00:45+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/"},"wordCount":1193,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp?w=1600&resize=1600,900&ssl=1","keywords":["cyber security","cyber security news"],"articleSection":["Cyber Security News","CyberSecurity Research"],"inLanguage":"en-US","copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/","url":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/","name":"Lessons From Salesforce\/Salesloft Drift Data Breaches - Detailed Case Study","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp?w=1600&resize=1600,900&ssl=1","datePublished":"2025-09-11T15:01:15+00:00","dateModified":"2025-09-12T16:00:45+00:00","description":"The Salesloft Drift data breaches of August 2025 stands as one of the most significant supply chain attacks in SaaS history, demonstrating how a single compromised integration can cascade into widespread organizational exposure.","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/#primaryimage","url":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp?w=1600&resize=1600,900&ssl=1","contentUrl":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp?w=1600&resize=1600,900&ssl=1","width":"1600","height":"900","caption":"Salesloft Drift Data Breaches"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/salesloft-drift-data-breaches\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"Lessons from Salesforce\/Salesloft Drift Data Breaches &#8211; Detailed Case Study"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World&#039;s #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026","name":"Guru Baran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","caption":"Guru Baran"},"description":"Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics.","sameAs":["https:\/\/cybersecuritynews.com","https:\/\/www.facebook.com\/guruba008","https:\/\/www.linkedin.com\/in\/gurubaran-cyberwrites\/","https:\/\/x.com\/guruba008"],"url":"https:\/\/cybersecuritynews.com\/author\/guru\/"}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3ZMfauTQWV9rNnjEdxanB1ry9XLarXm5hGPMflSasEuguu1hAvS-FTCF4g2jrcenABMUK_g5LnKWhaxe0jZpUwgEyqEJtt0BOeLb2D_Y7E5QPxQz4hxjt4IFwwSZNuP3j3ou1WHE4ZTblKc3n3TcGTWJV-fJEfpGjZv4WSfaJvQUNEjlw0tdvKpq2hfQ8\/s16000\/SalesforceSalesloft%20Data%20Breaches.webp?w=1600&resize=1600,900&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/125841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=125841"}],"version-history":[{"count":2,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/125841\/revisions"}],"predecessor-version":[{"id":125849,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/125841\/revisions\/125849"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/125848"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=125841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=125841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=125841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}