Salesloft Drift Breach Exposes Enterprise Salesforce Data Across Major Tech Companies

A sophisticated supply chain attack exploiting Salesloft’s Drift marketing application has compromised customer data across multiple enterprise Salesforce environments, with Workday confirming on August 23, 2025 that it was among the high-profile victims affected by the breach. The incident underscores the growing threat of third-party application vulnerabilities in an increasingly interconnected enterprise landscape.

The Exploit Mechanics

The attack vector originated within Salesloft’s own infrastructure, where a threat actor successfully breached systems and obtained OAuth credentials used by the Drift application to interface with customer Salesforce environments. Drift, a conversational marketing platform acquired by Salesloft, maintains deep integrations with Salesforce CRM systems through OAuth tokens that grant read and search access to customer data.

On August 23, 2025, Workday became aware of anomalous activity tied to the Drift integration and immediately severed the connection. The company invalidated all associated access tokens and engaged an external forensic investigation firm to assess the full scope of the compromise. By August 26, Salesloft confirmed that a threat actor had used the stolen OAuth credentials to execute unauthorized searches across multiple customers’ Salesforce instances.

The OAuth token-based attack represents an evolution in supply chain compromise techniques. Unlike traditional credential theft that targets individual accounts, this attack exploited the trusted relationship between a widely-used marketing tool and enterprise CRM platforms, granting the attacker lateral access to multiple organizations through a single point of failure.

Affected Systems

The ripple effects of this breach extend far beyond Workday. Confirmed victims include some of the most prominent names in cybersecurity and technology: Palo Alto Networks reported exposure of business contact information and internal sales data from its CRM platform. Zscaler confirmed that customer names, contact details, and support case content were accessed. Google acknowledged that a very small number of its Workspace accounts were accessed through the compromised tokens.

Cloudflare disclosed that a sophisticated threat actor accessed and stole customer data from its Salesforce instance. PagerDuty confirmed unauthorized access to some of its data stored in Salesforce. Tenable reported that contact details and support case information of some customers were exposed. Qualys, Dynatrace, and Elastic each confirmed varying degrees of impact from the same supply chain attack vector.

The breadth of affected organizations illustrates how a single compromised integration can cascade across the entire technology sector, particularly when the targeted application connects to widely-adopted platforms like Salesforce.

The Mitigation Strategy

Workday responded with a multi-layered containment strategy. The company immediately disconnected the Drift application from all environments and invalidated existing OAuth tokens. A comprehensive audit of all third-party vendor integrations utilizing the Drift application was initiated to assess whether additional exposure existed.

Workday emphasized that its core customer tenants were not directly accessed or compromised through this vector. The exposed data was limited to business contact information, basic support case details, tenant attributes such as data center names, product and service identifiers, training course records, and event logs. Critically, the attacker did not gain access to sensitive external files including contracts, order forms, or customer attachments in support cases.

The company is proactively searching all support cases for any credentials that may have been inadvertently shared and will notify affected customers directly. Salesloft published its own security advisory with recommended actions for all impacted customers.

Lessons Learned

This incident reinforces several critical security principles for enterprises relying on third-party integrations. First, OAuth token hygiene must be treated as a first-class security concern. Organizations should implement token rotation policies, scope permissions to the minimum necessary access, and maintain real-time monitoring of token usage patterns.

Second, the principle of least privilege applies to vendor integrations. Marketing tools should not have unrestricted access to CRM data stores. Granular permission scoping and regular access reviews can significantly limit the blast radius of a compromise.

Third, supply chain security requires continuous vendor risk assessment. The interconnected nature of modern SaaS ecosystems means that an organization’s security posture is only as strong as its weakest vendor connection. Regular third-party security audits and contractual security requirements are essential.

User Action Required

Workday urges all customers to immediately rotate any credentials that may have been shared with support teams through support cases. The company reiterated its standing guidance that customers should never include sensitive information such as login credentials in support tickets. Additional recommendations include mandatory multi-factor authentication deployment, regular phishing awareness training for employees, and active monitoring of user activity for suspicious behavior patterns.

For the broader enterprise community, this breach serves as an urgent reminder to audit all third-party application integrations connected to critical data stores, review OAuth token permissions and expiration policies, and establish incident response procedures that account for supply chain compromise scenarios.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.