Salesforce Re-Enables Salesloft Integrations (Except Drift) Following Hacks : Ross Collie
by: Ross Collie
blow post content copied from Salesforce News | Salesforce Ben
click here to view original post
**Summary:** Salesforce has restarted integrations with Salesloft technologies, except for the Drift app, after a hacking incident targeted Salesforce customers using the Salesloft Drift application. On August 28, Salesforce temporarily disabled all connections with Salesloft due to a security breach involving compromised OAuth tokens. Following an investigation by Mandiant, which confirmed that the incident was contained, Salesforce announced on September 7 that most integrations were re-enabled, but the Drift app would remain offline for further security measures. The hacking campaign, attributed to a group called UNC6395, started on August 8 and involved unauthorized access to customer data via compromised OAuth tokens. Salesloft confirmed that the situation was worse than initially thought, affecting more than just the Salesforce integration. They took the Drift app offline temporarily to enhance security and have since implemented measures to prevent future breaches. **Key Details:** - Salesforce disabled Salesloft integrations following a security breach. - The Drift app remains offline for security reasons. - Investigation by Mandiant indicated that the incident was contained. - OAuth tokens were compromised, affecting customer data. - Salesloft has implemented security measures and validated them with Mandiant. **Additional Context:** Data breaches are a significant concern for businesses, particularly those that handle sensitive customer information. The situation highlights the importance of robust security practices and the need for immediate action in response to potential threats. Salesforce emphasized that the breach did not originate from issues within its core platform. **SEO Hashtags:** #Salesforce #Salesloft #CyberSecurity #DataBreach #OAuthTokens #Mandiant #SalesTech #CloudSecurity #TechNews #SalesforceIntegrations
Salesforce has re-enabled integrations with Salesloft technologies, apart from Drift, after the application was targeted in a hacking campaign.
On August 28, Salesforce announced that it had disabled the connection between Salesloft’s Drift app in response to a “recent security incident” – referring to the data theft attack which saw hackers target Salesforce instances through compromised OAuth tokens associated with Salesloft Drift.
In an update later that day, Salesforce said that they had disabled all integrations with Salesloft technologies, meaning organizations would not be able to connect to Salesforce via any Salesloft apps “until further notice”.
Now, in a more recent update posted on September 7, Salesforce said that they had re-enabled integrations with Salesloft technologies, “with the exception of any Drift app”.
The update explained: “Drift will remain disabled until further notice as part of our continued response to the security incident. This decision follows security measures and remediation steps implemented by Salesloft, which were independently validated by Mandiant.”
Salesloft said in a post on September 7 that an investigation carried out by cyber defense specialists Mandiant suggests that “the incident has been contained”.
Salesloft Hacks Explained
In this hacking incident, Salesforce customers were targeted through the third-party application, Salesloft Drift.
Google Threat Intelligence Group (GTIG) said that the widespread data theft campaign started as early as August 8 and ran until at least August 18, carried out by the actor tracked as ‘UNC6395’. This is a different designation than that given to the ‘ShinyHunters’ group, which is said to be responsible for several recent social engineering attacks.
In this case, hackers targeted Salesforce instances through compromised OAuth tokens associated with Salesloft Drift.
Salesloft had initially indicated that customers who do not integrate with Salesforce were not impacted by the campaign.
But GTIG revealed that the scope of the Drift hack was worse than previously thought, with new information revealing that the scope of the compromise was not exclusive to the Salesforce integration with Salesloft Drift – and OAuth tokens for the “Drift Email” integration were also compromised.
Salesforce disabled all integrations between Salesforce and Salesloft technologies, including the Drift app, and GTIG advised all Salesloft Drift customers to treat “any and all” authentication tokens stored in or connected to the Drift platform as potentially compromised.
In an update posted on September 2, Salesloft said that Drift would be taken down “temporarily” in order to boost its security.
On September 7, Salesforce said it had re-enabled integrations with Salesloft technologies, apart from any Drift app, explaining that Drift would stay disabled “until further notice”.
Salesloft retained Mandiant to investigate the compromise of the Drift platform and its technology integrations.
On September 7, Salesloft posted an update on the incident revealing what Mandiant’s investigation had found about the incident. The post reads: “In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.
“The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments.
“The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.
“The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.
“The threat actor used the stolen OAuth tokens to access data via Drift integrations.”
Salesloft says that, as part of a comprehensive response, they performed containment and eradication activities, validated by Mandiant, in the Drift and Salesloft application environments.
This includes, but is not limited to:
- Isolating and containing the Drift infrastructure, application, and code.
- Taking the Drift Application offline.
- Rotating impacted credentials.
- Rotating credentials in the Salesloft environment.
- Performing proactive threat hunting of the environment and noting “no additional Indicators of Compromise” (IOCs) found.
- Rapidly hardening Salesloft environment against the known methods used by the threat actor during the attack.
- Threat hunting based on Mandiant Intelligence across Salesloft infrastructure and technologies, including IOC analysis; analysis of events associated with at-risk credentials based on threat actor activity; and analysis of events associated with activity that would permit the threat actor to circumvent Salesloft security controls.
Mandiant verified the technical segmentation between Salesloft and Drift applications and infrastructure environments, Salesloft said.
“Based on the Mandiant investigation, the findings support the incident has been contained,” Salesloft said. “The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.”
Final Thoughts
Security is often at the back of our minds, but recent news about data theft incidents should be evidence enough that preventing disaster should be a key concern for Salesforce professionals.
Salesforce has previously stressed that the issue in this case did not stem from a vulnerability within the core Salesforce platform.
The post Salesforce Re-Enables Salesloft Integrations (Except Drift) Following Hacks appeared first on Salesforce Ben.
September 08, 2025 at 05:41PM
Click here for more details...
=============================
The original post is available in Salesforce News | Salesforce Ben by Ross Collie
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment