Salesloft Temporarily Disables Drift Following Mass Data Theft

Red Dog Security

07 Sep 2025 — 2 min read

Salesloft has announced that it will temporarily disable its AI chatbot Drift starting September 5, 2025, after a large-scale supply chain attack resulted in the mass theft of authentication tokens.

The Attack

Last week it was revealed that hackers had compromised the Salesloft sales automation platform and stole OAuth and refresh tokens from its Drift AI agent, which integrates with Salesforce (not affiliated with Salesloft).

According to Google, the attack lasted from August 8 to August 18, 2025, was widespread, and also impacted Google Workspace data.

Salesloft Drift is a platform for integrating the AI-powered Drift chatbot with Salesforce, allowing organizations to sync conversations, leads, and support tickets with their CRM. Drift also integrates with other services such as Slack, Pardot, and Google Workspace.

Company Response

Salesloft said disabling Drift will allow for a full analysis of the application and improvements to its security.

“The Drift chatbot on customer sites will be unavailable, and all Drift features, including Drift Fastlane and Drift Email, will be disabled during this time,” the company stated. No timeline has been given for the service’s return.

The company stressed that its top priority is ensuring the integrity of its systems and customer data. As part of its incident response, Salesloft is working with cybersecurity experts from Mandiant and Coalition.

Attribution and Impact

Google attributed the attack to a threat cluster tracked as UNC6395 (also known as GRUB1 by Cloudflare). Researchers estimate the compromise could have affected more than 700 organizations.

While initial reports suggested the leak only impacted Drift–Salesforce integrations, investigators later confirmed that any platform integrated with Drift was vulnerable. The method of initial access remains unknown.

Organizations Affected

Several major companies have already confirmed they were impacted by the attack, including:

Cybersecurity firms Zscaler, Proofpoint, and Palo Alto Networks
SaaS platforms Workiva, PagerDuty, and Exclaimer
Cloudflare and others

Kaspersky Lab Studies Hack Groups Attacking Russia

Kaspersky Lab specialists have conducted a technical analysis of the activity of 14 hacker groups that are actively targeting organizations in Russia, Belarus, and several other countries. Among them are hacktivist groups that appeared on the Russian threat landscape after 2022 and publicly identified themselves as “pro-Ukrainian.” Three Clusters of

Hacker Attack Disrupts Operations at Bridgestone

Japanese corporation Bridgestone—one of the world’s largest tire manufacturers—has reported a cyberattack that disrupted operations at several of its manufacturing plants in North America. Scope of the Attack The incident affected Bridgestone Americas (BSA), the company’s North American subsidiary. BSA operates 50 manufacturing plants with more

Apitor Technology Toys Transmitted Children's Geolocation Data to China

The U.S. Department of Justice (DOJ) has filed a lawsuit against toy manufacturer Apitor Technology, alleging that the company allowed a third party in China to collect children’s geolocation data without their knowledge or parental consent. Alleged COPPA Violations The lawsuit, filed by the DOJ after a referral

August Windows Updates May Hinder Application Installation

Microsoft has reported that the August 2025 Windows security updates may trigger unexpected User Account Control (UAC) prompts and cause issues with application installations. The bug affects users without administrator rights across all supported versions of Windows. Root Cause: Security Fix in Windows Installer The issue stems from a patch