A recent widespread incident involving Salesloft Drift has drawn attention to vulnerabilities in third-party integrations relied upon by leading technology and security firms. Companies such as Cloudflare, Palo Alto Networks, PagerDuty, SpyCloud, and Zscaler have reported varying degrees of data exposure following unauthorized access attributed to the use of the Drift chatbot platform. The unfolding situation has made many organizations reassess their security postures, particularly as they investigate whether their systems or customer information were affected. Customer concerns continue to grow as notices and updates trickle in from the companies involved, emphasizing the broad-reaching implications of supply chain attacks. Industry observers are closely watching the response and mitigation efforts, as companies work to understand the scope and impact of the breaches.
While previous compromises involving software supply chain attacks have received attention, the current Salesloft Drift incident illustrates the continuing challenges companies face in securing third-party integrations. Reports from earlier this year highlighted the risks of shared ecosystem tools, but this latest breach involved not just direct customers of Drift and Salesloft, but also their integrations with major platforms such as Salesforce. Unlike similar past events that were more contained, this attack appears to have impacted hundreds of organizations simultaneously, underscoring persistent vulnerabilities in multivendor environments. Companies that had previously conducted security assessments on their integrations are now re-evaluating these measures in light of the recent exposures.
How Did the Attackers Gain Initial Access?
The specific method used by the threat actor, tracked as UNC6395, to gain its initial foothold within Salesloft Drift remains under investigation. Salesloft has stated,
“There is no evidence of any unusual or malicious activity with the Salesloft platform.”
Despite early indications that only Salesforce-integrated customers were at risk, later assessments by Google Threat Intelligence Group and Mandiant broadened the pool of potentially affected organizations to any using Drift.
Which Companies Were Impacted and How?
A number of prominent organizations experienced confirmed exposures. Data compromised at Zscaler included customer names, business contact details, job information, and support-related content. Zscaler’s integration with Salesforce through Salesloft Drift was cited as the entry point for unauthorized access. Cloudflare and Palo Alto Networks each reported that customer data within their support environments were potentially accessed, though no core services or infrastructure were breached. Okta acknowledged attempted access using a compromised token, but the attack was blocked due to controls on IP origin.
What Are Companies Doing in Response?
In response to the incident, Salesloft announced plans to take the Drift platform offline, aiming to conduct a comprehensive review and implement additional security measures. The company explained,
“This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality.”
Impacted organizations have revoked exposed tokens, notified affected customers, and begun reassessments of their third-party integrations. Some companies, like Zscaler, were already transitioning away from Drift for unrelated reasons.
Large-scale supply chain attacks such as this continue to demonstrate the complexities posed by interconnected cloud services and vendor ecosystems. Organizations can benefit from regularly auditing the permissions and data flows associated with integrated third-party tools, implementing network segmentation, and applying restrictions such as allowed IPs for administrative access. Experiences from this incident highlight the importance of rapid incident response and transparent customer communication during a compromise. Companies with detailed records and robust detection controls were able to contain exposures more effectively than those relying solely on vendor assurances. Understanding the attack paths and limiting sensitive data storage within support systems may reduce exposure in future attacks.
