Between August 8 and August 18, a widespread and sophisticated cyberattack targeted the Drift application, a Salesloft-owned AI chatbot platform widely integrated with Salesforce and other enterprise systems. Threat actors exploited vulnerabilities in Drift’s OAuth token management, enabling unauthorized access to hundreds of corporate Salesforce environments. Salesloft disclosed the incident on August 20, 2025, initially downplaying the scope. However, subsequent investigations by Google’s Threat Intelligence Group (GTIG) and Palo Alto Networks’ Unit 42 revealed that the breach extended far beyond Salesforce, as the stolen OAuth tokens allowed attackers to access platforms integrated with Salesloft, including Salesforce, Slack, Google Workspace, Amazon S3, Microsoft Azure, OpenAI and others.
The breach affected a wide range of organizations, as Salesloft serves over 5,000 customers, many of which are multinational corporations, meaning the breach likely spans multiple regions and industries.
The attackers, identified as UNC6395, gained access by stealing OAuth tokens, which are digital credentials used to authorize third-party integrations. These tokens were compromised through a combination of technical exploitation and social engineering, including voice phishing campaigns that tricked administrators into connecting malicious apps to their Salesforce portals. Once inside, the attackers used automated Python tools, which enhance productivity and streamline workflows in software development, data analysis, web development and machine learning, to extract sensitive data from Salesforce. They then scanned the stolen data for credentials to other cloud services, enabling lateral movement across environments. To evade detection, the attackers deleted query logs and used anti-forensics techniques.
The breach could have been mitigated through stronger token lifecycle management, including timely expiration and rotation of OAuth tokens and more rigorous monitoring of third-party integrations. Salesloft’s initial alert failed to acknowledge the full scope of token theft, delaying critical remediation steps. Organizations are now urged to revoke and rotate all OAuth tokens connected to Drift, audit Salesforce logs for suspicious activity and implement zero-trust access controls for third-party apps. The business impacts are significant. While the breach started with Salesloft Drift, it quickly expanded into connected SaaS ecosystems, affecting email systems, cloud storage and CRM platforms worldwide.
This resulted in operational disruptions due to revoked integrations, reputational damage, legal and compliance risks tied to exposed customer data and increased scrutiny of AI-powered SaaS tools.
Salesforce has disabled all Drift integrations, revoked active tokens and notified affected customers. Google issued warnings to 2.5 billion Gmail users, highlighting the global urgency of the incident, which underscores the urgent need for robust supply chain security and vigilant integration oversight in an increasingly interconnected digital ecosystem.
The Willis Claims Advocacy team has already received a number of notices on this incident from clients and expects more. This incident underscores the risks organizations across a wide range of industries face when using third-party software applications. Incidents like this serve as a reminder to organizations to make sure they have adequate first and third-party cyber coverages in place, including, but not limited to coverage for privacy and security liability and data incident response expenses, which generally includes costs incurred to complete a forensics investigation, to hire a law firm to evaluate and execute notice obligations, to hire a public relations firm and to restore data that has been comprised.
If your organization utilizes the Salesloft Drift platform, but it is unclear whether sensitive data in your care, custody or control has been compromised by this incident, consult with your Willis claims advocate to determine whether proactively issuing a notice of circumstance to your cyber or other insurance carrier is the right course of action.
WTW hopes you found the general information provided here informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
