Salesloft Drift OAuth Token

Salesloft on Tuesday announced that it's taking Drift temporarily offline "in the very near future," as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens.

"This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality," the company said. "As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible."

The company said its top priority is to ensure the integrity and security of its systems and customers' data, and that it's working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts.

The development comes after Google Threat Intelligence Group (GTIG) and Mandiant disclosed what it said was a widespread data theft campaign that has leveraged stolen OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent to breach customers' Salesforce instances.

"Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application," the company said last week.

Audit and Beyond

The activity has been attributed to a threat cluster dubbed UNC6395 (aka GRUB1), with Google telling The Hacker News that more than 700 organizations may have been potentially impacted.

While it was initially claimed that the exposure was limited to Salesloft's integration with Salesforce, it has since emerged that any platform integrated with Drift is potentially compromised. Exactly how the threat actors gained initial access to Salesloft Drift remains unknown at this stage.

The incident has also prompted Salesforce to temporarily disable all Salesloft integrations with Salesforce as a precautionary measure. Some of the businesses that have confirmed being impacted by the breach are as follows -

"We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare said.

"Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.