How the Salesloft Drift breach signals a growing risk for our industry
Salesloft Drift is a cloud-based sales engagement platform that uses AI agents to orchestrate consumer buying journeys and revenue management. On 25th August, Google’s threat intelligence group and Salesloft reported a significant targeted attack on the Salesloft Drift application (threat group UNC6395). The attack campaign started in March 2025, and remained undetected until it caused impact in August 2025. This could be the catalyst to changes in our industry.
The events as we know it
UNC6395 accessed Salesloft Github ecosystem in March 2025 and performed reconnaissance for 4 months before laterally moving to their AWS environment.
UNC6385 launched an attack that compromised OAuth credentials (access and refresh tokens) originating from the Salesloft Drift platform.
UNC6395 were able to leverage compromised tokens to access downstream customer instances. Initially suspected to be limited to Drift’s Salesforce integrations (approximately 700 customers), but now confirmed to be all Drift tokens impacting all Drift customers.
The threat group used custom Python scripts and Salesforce Queries (SOQL) to automate data scanning and exfiltration during a 10-day attack window.
It’s suspected UNC6395 operated with the goal of harvesting credentials to pivot to other, potentially more lucrative, cloud environments. Google analysis confirms that UNC6395 searched for secrets associated with AWS access keys, Snowflake access tokens, and plaintext passwords.
Drift application taken offline from 05/09/2025 with all customers recommended to treat all its Drift integrations as compromised.
The root cause has not been disclosed (as of this blog post 11/09/2025), however Google and Salesloft have issued security recommendations to detect, protect and respond.
27 technology and cyber businesses have confirmed impact as of 11/09/2015 - you can track these here.
Salesloft communication and updates found on Drift portal here.
What’s at stake for all parties involved?
For Salesloft: Customers and partners will be reviewing terms and considering options to cancel existing agreements. There will be financial impact to customer loss, incident response and any required rebuild (e.g. token stores).
For the 700+ downstream impacted Drift customers: Customers will review whether UNC6395 have access to all Drift integration related data (e.g. Salesforce) and keys/passwords stored on connected instances. There is a palpable risk that these organisations have already had their data stolen or are in the firing line for UNC6395 to use stolen keys to access more sensitive systems for impact (e.g. ransomware).
For non-Salesloft customers: This should be on every business’ risk radar. All digital ecosystems will be connected to many other SaaS vendor services (like Drift) with connections into respective corporate IT estates. Business leaders will be asking are we ‘secure enough’ to detect, contain, respond and recover to a supply chain attack?
Why is this a growing industry risk?
There’s more to this than a standard breach notification. It’s a reflection of a deeply complex challenge for our technology and cyber security industry. Corporate digital ecosystems are flooded with SaaS connectors and complex supply chains. Those same SaaS services are now built on AI assisted software development lifecycles with vibe coding referencing vulnerable packages and libraries. This is compounded with the increase in SaaS startups and threat actors weaponising AI throughout all stages of attack. We will see more cases of technology companies breached - regardless of shape and size.
What are the bigger picture themes?
The cyber landscape is shifting as businesses are either introducing new AI agent capabilities to customer offerings and enterprise tools, or acquiring new capabilities entirely. This represents the direction of travel with 7 emerging themes:
Technology industry in the cross-hairs: History tells us, attacks on technology business yields a high ROI for threat actors. The current Drift breach has the potential to impact over 700 dependent businesses. Last year, a targeted Snowflake account led to the largest data breach of 560 million personal credentials impacting 165 downstream businesses. Okta, Microlise and MoveIT also serve as strong and recent examples. This outlook rewrites outdated security assumptions that certain industries are not going to be targeted by criminal threat actors or nation states. You will likely fall victim because your HR, sales, or business operations teams are using a SaaS application that has been compromised.
ISO27001 and SOC2 is not enough: While these standards and regulations demonstrate controls and processes are established, far too many companies that advertise ISO27001 and SOC2 compliance are being breached. ISO27001 and SOC2 do not address complex technology stacks, deep supply chains, AI developed code, appropriate budgeting for security, and effective security architecture practices.
Faster development: With the rise in vibe coding and AI development enhancements, product development speed has increased rapidly. What would have taken weeks or months to develop can now take hours to build and deploy to production. This increases the pressure on security teams to adapt, which changes the inherent trust we once had in software providers being able to suitably budget and prioritise security into the systems they build.
The theoretical lag: The industry guidance is to implement zero trust practices to third party integrations. While it makes sense in theory, it is difficult to apply in practice. SaaS connectors often require access to read, write and update data to function properly (Example Salesloft). Salesloft does a good job of ensuring access rights are configurable if you need to further harden. However, hardening your connector, means you begin to cut back on feature functionality, and then you risk making the tool redundant to use in the first place. Beyond additional JWT tokens and stricter session timeouts, we need more innovation in this space to detect and respond to connector violations.
Shift in organisational cyber risk management: Supply chains need more thorough reviews. This begins with counting your SaaS services (asset management), scenario plan breaches (threat modelling and wargames), and using this information to enforce contract requirements, scope security programmes and estimate budgets. You will likely be victim to a supply chain breach and your business needs the rehearsed capability and presence of mind to continue operating.
Even with SaaS, security is still the customer’s responsibility: Granted with the shared responsibility model you transfer most of the security management to the cloud provider, however in this case 700+ customers pay a price in verifying UNC6395 don’t have access to data or credentials. Key, secret and credential rotation, in practice can be painful and requires verification that all your other systems are working which is where this becomes a consolidated security, IT and change management effort.
M&A cyber due diligence depth: Salesloft acquired Drift in 2024, with both majority owned by the same private equity house (Vista Equity Partners). These processes typically involve a form of cyber due diligence, with recognised risks to manage, design options to consider and remediation plans to implement post day-one. Cyber due diligence requires a level of depth and detail during the review of an acquisition. This depth influences whether you can catch logical separation / multi-tenant isolation risks that could have limited the blast radius of the attack (a compromised access and refresh token impacting all downstream customers). It’s an easy thing to say in hindsight, but with the rise in vibe coding and AI agents, the definition of a ‘secure enough’ acquisition will have to change.
How can a serious breach become something more positive?
For Salesloft: They detected, responded, contained and communicated with independent support from Google. Although there might be further consequential impact, there is opportunity to come out stronger from this incident and provide better transparency and security in product features as they rebuild their applications and connectors. Companies have survived catastrophic breaches in the past. There’s an ending to this story where Salesloft could be known as one of the safest revenue management platforms on the market.
For the 700+ downstream impacted Drift customers: This is a business case to your board to practice data security protection, leakage and prevention to your most critical assets, and practice credential, key and secret rotation across your entire business. These are practices that often require investment and cross-team discipline/collaboration.
For non-Salesloft customers: Plan to get hit, and don’t do this alone, take your executive committee on this journey with you. Agree and practice your response plans, have response retainers signed, measure your exposure with threat models, practice and prioritise these events with wargames. This needs to be an ingrained business practice, not a tool or policy document.
