Full Report
Salesloft said the AI chat agent for sales and leads will be taken offline, as investigations into the attack spree widen and reveal more victims. The post Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler appeared first on CyberScoop.
Analysis Summary
# Incident Report: Salesloft Drift Supply Chain Compromise
## Executive Summary
A widespread, far-reaching supply chain attack originating from the third-party AI chat agent, Salesloft Drift, impacted numerous major technology companies including Cloudflare, Palo Alto Networks, and Zscaler. The initial means of access to the Salesloft platform is unconfirmed, but resulted in unauthorized access to customer integrations, primarily targeting Salesforce environments. The overall response involved Salesloft taking the Drift platform offline to facilitate a comprehensive review and remediation.
## Incident Details
- **Discovery Date:** Last week (relative to the article date of September 2, 2025)
- **Incident Date:** Attack began on August 8 (based on preceding merger announcement)
- **Affected Organization (Initial Vector):** Salesloft (specifically the Drift product)
- **Sector:** Technology/SaaS (Impacted organizations span Security and Cloud services)
- **Geography:** Global (As it involves major international tech firms)
## Timeline of Events
### Initial Access
- **Date/Time:** Attack began on or around August 8, 2025.
- **Vector:** Root cause is currently unconfirmed; attributed to threat group UNC6395 gaining access to the Salesloft Drift platform.
- **Details:** Access appears to have been leveraged through customer integrations with the Drift platform.
### Lateral Movement
- **Details:** Threat actors utilized compromised tokens associated with the Salesloft Drift integration (specifically with Salesforce instances) to attempt unauthorized access at customer environments (e.g., Zscaler). Some attempts failed due to originating from unauthorized IP addresses (e.g., Okta).
### Data Exfiltration/Impact
- **Details:** Zscaler confirmed exposure of customer data, including names, business email addresses, job titles, phone numbers, location details, product licensing, commercial information, and plain text content from some support cases. No core product or infrastructure was reportedly affected at Zscaler.
### Detection & Response
- **Detection:** Victims began identifying unauthorized activity and receiving notices from Salesloft and related response teams (Google Threat Intelligence Group, Mandiant). Okta identified an attempted access.
- **Response Actions:** Salesloft announced that the Drift chatbot would be taken offline to "comprehensively review the application and build additional resiliency." Affected customers began internal investigations.
## Attack Methodology
- **Initial Access:** Unknown (Compromise of Salesloft Drift platform by UNC6395).
- **Persistence:** Not explicitly detailed, but access was maintained via compromised integrations/tokens.
- **Privilege Escalation:** Implied through the exploitation of platform integration authorization (e.g., Salesforce tokens).
- **Defense Evasion:** Not detailed.
- **Credential Access:** Compromised tokens were used to attempt data access.
- **Discovery:** Not detailed.
- **Lateral Movement:** Movement occurred from the compromised Salesloft Drift environment *into* integrated customer environments (e.g., Salesforce instances).
- **Collection:** Gathering of customer PII, job titles, contact information, and support case content.
- **Exfiltration:** Implied via unauthorized access to data stored or accessible through the integration scope.
- **Impact:** Theft of customer PII/commercial data from victim organizations.
## Impact Assessment
- **Financial:** Not specified, but significant costs associated with incident response and remediation across multiple major organizations.
- **Data Breach:** Significant exposure of customer data belonging to organizations such as Zscaler, including names, business emails, job titles, phone numbers, location details, and support case content.
- **Operational:** Salesloft took the Drift platform completely offline, indicating a significant service disruption for its customers.
- **Reputational:** High-profile compromise involving major security and cloud vendors.
## Indicators of Compromise
- **Network Indicators:** Access attempts originating from unauthorized IP addresses (as noted by Okta). (Specific IP addresses or URLs were not provided in the summary to defang).
- **File Indicators:** None specified in the article summary.
- **Behavioral Indicators:** Use of compromised tokens associated with the Salesloft Drift integration to query customer Salesforce instances.
## Response Actions
- **Containment:** Salesloft announced the imminent shutdown of the Drift platform. Victim organizations (like Zscaler) limited access to only necessary integrations.
- **Eradication:** Implied through the process Salesloft undertook to review and rebuild security in the system.
- **Recovery:** Customers are engaged in sifting through data to determine the full extent of compromise and notification procedures. Salesloft aims to return the application to full functionality after security hardening.
## Lessons Learned
- The deep integration provided by third-party AI/SaaS applications (like Salesloft Drift) creates significant supply chain risk, allowing initial compromise to ripple across seemingly disparate organizations.
- Companies must rigorously audit and limit the scope and permissions granted to third-party integrations, especially those accessing sensitive data stores like Salesforce.
- The reliance on a single vendor for a critical business function (like AI sales chatting) introduces an acute single point of failure.
## Recommendations
- Immediately audit all third-party SaaS integrations, particularly those utilizing shared credentials or deep API access tokens for customer data environments (e.g., Salesforce).
- Implement strict modern security controls around integrated access, such as mandating IP whitelisting for API calls associated with these third-party services.
- Establish robust monitoring to flag suspicious access patterns from trusted service accounts (e.g., token usage from unexpected geographic locations or unusual data queries).