"Salesloft on Tuesday announced that it's taking Drift temporarily offline "in the very near future," as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. The company said its top priority is to ensure the integrity and security of its systems and customers' data, and that it's working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts."
"The development comes after Google Threat Intelligence Group (GTIG) and Mandiant disclosed what it said was a widespread data theft campaign that has leveraged stolen OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent to breach customers' Salesforce instances. "Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application," the company said last week."
Salesloft is taking Drift temporarily offline after a supply-chain attack led to mass theft of authentication tokens tied to the Drift chatbot. The company prioritized system and customer data integrity and engaged Mandiant and Coalition for incident response. Google Threat Intelligence Group and Mandiant reported a campaign using stolen OAuth and refresh tokens from the Drift AI chat agent to breach Salesforce customer instances. The timeline spans at least August 8–18, 2025, and the activity is attributed to threat cluster UNC6395 (aka GRUB1), with over 700 organizations potentially impacted. Any platform integrated with Drift may be compromised; the initial access vector remains unknown.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]