top of page
Buscar

The Salesforce Storm: UNC6395 Hijacks Salesloft Drift Integrations

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 15 sept
  • 3 Min. de lectura
ree

What began as a stealth intrusion into a single SaaS provider escalated into one of the most impactful supply-chain breaches of 2025. UNC6395, a threat actor tracked by Google TAG and Mandiant, compromised Salesloft’s Drift AI chat agent, a tool embedded across thousands of enterprise Salesforce environments. The fallout reached some of the most prominent names in cybersecurity and technology—Cloudflare, Palo Alto Networks, Zscaler, PagerDuty, SpyCloud—exposing tokens, customer contact data, support cases, and even credentials. This campaign illustrates how one weak SaaS link can ripple across an entire ecosystem.


Phase 1: The Calm Before the Storm 


Salesloft acquired Drift in 2024, pitching it as an AI-powered chat assistant tightly integrated with Salesforce. By mid-2025, Drift had become a popular fixture across industries, used to capture leads, handle support tickets, and enrich CRM data. But hidden within this convenience was a latent risk: any compromise of Drift’s integrations could cascade into its customers’ Salesforce instances. That risk turned into reality in August 2025, when attackers silently accessed Drift environments, laying the groundwork for large-scale data theft.


Phase 2: Cracks in the SaaS Supply Chain

 

The exact initial vector remains under investigation. Salesloft insisted that its core platform was not directly breached, but Google TAG and Mandiant confirmed Drift’s integrations with Salesforce (and potentially other SaaS tools) had been abused. Drift acted as the supply-chain entry point: once compromised, attackers could pivot into Salesforce environments of its customers. Even companies that had limited or legacy connections to Drift—like SpyCloud—discovered exposure. This ambiguity about “who was actually hit” added chaos to the early days of disclosure.


Phase 3: The Breach Unfolds 


UNC6395 exploited Drift–Salesforce links to hijack authentication tokens and siphon sensitive data. The scope was broad:

  • Cloudflare found 104 API tokens in compromised data, alongside logs, passwords, and case content.

  • Zscaler lost extensive customer records: names, job titles, emails, phone numbers, licensing and commercial details, plus plain-text content from support cases.

  • Palo Alto Networks (Unit 42) confirmed exposure of business contact data, with a small set of credentials embedded in recent notes.

  • SpyCloud, despite no longer being an active Drift customer, reported Salesforce data exposure from past integrations.

  • PagerDuty was also listed among confirmed victims, though details remain sparse.

The stolen data ranged from business contact details to credentials, API tokens, and case metadata—assets that can fuel further intrusions or credential stuffing attacks.


Phase 4: Collateral Damage and Crisis Response 


The breach did not affect every Drift customer, but the uncertainty forced hundreds of organizations to scramble. Each company had to audit Salesforce instances, rotate tokens, and assess support logs for sensitive data. Cloudflare issued an open apology, admitting that their reliance on third-party SaaS had let customers down. Zscaler’s CISO acknowledged that the intrusion came through their Salesforce integration with Drift, underscoring the risks of SaaS dependencies. Salesloft, for its part, announced Drift would be taken offline to rebuild trust and harden security, leaving customers without the chatbot they relied on.


Phase 5: The Larger SaaS Security Storm 


This attack demonstrated how one compromised SaaS component can ripple across entire industries. Unlike isolated endpoint infections, SaaS compromises strike at the intersection of trust and scale. By embedding themselves into Salesforce, attackers gained access to valuable corporate and customer data without breaching the core infrastructure of targets like Cloudflare or Palo Alto Networks. The attribution to UNC6395 highlights the professionalization of threat actors: exploiting integrations, manipulating tokens, and exfiltrating sensitive datasets through indirect but devastating routes.

The Salesloft Drift breach is a textbook case of SaaS supply-chain fragility. Companies trusted an AI chat agent to augment sales and support, only to see it weaponized by UNC6395 to harvest tokens, credentials, and sensitive customer records. As organizations embrace interconnected platforms, the attack surface shifts from their own perimeter to the weakest SaaS provider in their stack. Protecting against such storms requires more than patching—it demands layered defenses: hardening OAuth and GitHub controls, enforcing strong authentication, auditing API usage, monitoring integrations for anomalies, and, above all, treating SaaS vendors as part of the extended security perimeter. The storm may pass, but its warning is clear: in the SaaS era, trust must be continuously verified.



 
 
 

Comentarios

bottom of page