- Salesloft is temporarily taking its Drift chatbot service offline after a supply chain attack affected many companies.
- The attack resulted in widespread theft of authentication tokens, impacting customer security and system integrity.
- Google Threat Intelligence Group and Mandiant said the breach targeted Salesforce customer instances through compromised OAuth tokens from Drift.
- More than 700 organizations may have been exposed to the cyberattack, according to Google.
- Salesforce has temporarily disabled all Salesloft integrations as a safety measure, and the investigation is ongoing.
Salesloft announced on Tuesday that it will take the Drift chatbot service offline shortly after discovering a large-scale supply chain attack. Multiple organizations were affected, as attackers stole authentication tokens, threatening both company systems and customer data.
The company said this shutdown is the fastest way to review the application and improve security before restoring full service. In the meantime, the Drift chatbot will be unavailable on customer websites, and users will not have access to Drift. Salesloft stated it is working with Cybersecurity firms, including Mandiant and Coalition, to investigate and address the breach.
Recent findings by Google Threat Intelligence Group (GTIG) and Mandiant revealed that starting on August 8, 2025, a threat group used stolen OAuth and refresh tokens from Drift’s AI chat agent to access and compromise Salesforce customer accounts. OAuth tokens let applications access user account information without sharing passwords, making them a valuable target for attackers. The group, called UNC6395 (also known as GRUB1), may have affected more than 700 organizations, according to Google.
While the attack was first believed to only involve Salesloft’s integration with Salesforce, officials now warn that any platform connected to Drift may be at risk. The method used to first access the Drift application remains unclear. Salesforce responded by disabling all Salesloft integrations as a precaution.
Some impacted businesses have publicly confirmed the breach. “We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks,” said Cloudflare. The company added, “Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations.”
Further investigation is underway as affected companies work to secure their systems and prevent additional incidents. The full extent of affected data is still being determined, and updates will follow as more information is released. For additional details, readers can refer to the official Salesloft advisory.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Stablecoin Surge Ties Crypto Liquidity Closer to Fed Policy
- Venus Protocol User Loses $13M in Phishing; Funds Recovered
- Coinbase Launches Mag7 + Crypto Equity Index Futures in U.S.
- Lazarus Group Targets DeFi Firm with Trio of Advanced RAT Malware
- Trump Calls Emergency Meeting After Court Rules Tariffs Illegal
