🚨 Salesloft Supply Chain Breach: What Happened and Who’s Affected

Published: 2025-09-08 — Source: HiveTech Team

Author: Alex Matthews

Salesloft and Drift breach

🔍 What Happened?

In late August 2025, a sophisticated supply chain attack targeted Salesloft and Drift, compromising sensitive data across multiple high-profile organizations. The attackers exploited integrations with Salesforce, gaining unauthorized access to Salesforce instances used by Salesloft and Drift. Exfiltrated data included customer contact details, support ticket content, API tokens, configuration information, and potentially sensitive credentials such as passwords and access keys.

Cloudflare, one of the most prominent victims, reported that 104 API tokens were stolen. While no malicious activity has been detected using these tokens, Cloudflare proactively rotated them and notified affected customers on September 21.

🧠 Who’s Behind It?

The ShinyHunters extortion group is suspected to be involved. Known for aggressive tactics, they’ve previously targeted Salesforce customers using voice phishing (vishing) and malicious OAuth apps to steal databases. Victims of similar attacks include Google, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, and LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.). While Google has not confirmed a direct link between ShinyHunters and the Salesloft breach, the tactics bear striking similarities.

🛡️ What Was Targeted?

The attackers focused on text-based data within Salesforce support cases, including:

  • Subject lines and body text (which may contain secrets or credentials)
  • Company names, domains, and contact info
  • Keywords like “password,” “secret,” “key,” and “AWS access tokens”

Palo Alto Networks confirmed that attackers searched for cloud platform credentials, including Snowflake tokens, VPN strings, and SSO login details.

⚠️ What Should You Do?

  • Rotate all credentials shared via support tickets.
  • Audit Salesforce access logs for suspicious OAuth activity.
  • Educate employees on vishing and social engineering tactics.
  • Review third-party integrations for potential vulnerabilities.

🧩 Final Thoughts

This breach highlights the growing risk of supply chain attacks and the importance of securing customer support channels. As attackers become more sophisticated, businesses must stay vigilant and proactive in protecting sensitive data.

Need help?

If you want help reviewing your environment, assessing exposure, or implementing monitoring and mitigation measures, Hive Tech IT Consultation can assist.