Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances
1 min read
Summary
Threat actor activity has been seen using the Salesloft Drift integration to target Salesforce instances.
Salesloft issued a statement on 18 August 2025 confirming that a threat actor had used compromised OAuth credentials to exfiltrate data from affected customers’ Salesforce environments between 8 and 18 August.
Unit 42 advised all organisations to treat the incident with urgency.
It recommended conducting investigations and log reviews for Salesforce and Drift, and reviewing and rotating exposed credentials and enabling proactive threat hunting in Salesforce environments.
It also suggested that organisations advise staff to be wary of social engineering attempts and adhere to zero trust principles.
