Cyber Alert: Salesloft Drift Breach and Associated Supply Chain Attack

Attention HIROC Subscribers:

As your proactive partner in safety, HIROC is sharing the following important notice.

Please share this Alert with your Information Technology (IT) team, Information Security Management team, Chief Information Officer, Chief Technology Officer and as appropriate with your users, to raise awareness about a potential cyber threat and to address potential risks promptly.

The purpose of this Alert is to raise awareness about a recently-reported high-profile cyber breach, its impact on multiple organizations and businesses, and its indirect impact associated with third-party risk management. HIROC recognizes that third-party risks and supply-chain attacks continue to be the source of significant threats to our Subscribers. We encourage you to take some time to assess your exposure.  

HIROC has become aware of an incident with Salesloft Drift, an AI chat agent, which has resulted in information from multiple organizations being breached.

Salesloft Drift is a third-party chatbot that integrates with customer relationship management (CRM) technologies and other systems, including Salesforce, Slack, and Google Workspace. Authorization tokens used by Salesloft Drift to integrate with other information technology systems were compromised and used by cyber threat actors to breach systems and exfiltrate data. The types of data exfiltrated from the Salesloft Drift incident includes customer contact information, regional/location details, product/license details, and customer support case requests, including plain text descriptions or entries. Support case details may contain sensitive data, depending on the level of detail captured in plain text.

Salesforce and Salesloft Drift customers globally have experienced data theft.

Of importance, several technology providers have publicly disclosed breaches resulting from this Salesloft Drift incident: 

• Cloudflare: Internet security provider (e.g., DDoS protection)
• Google Workspace: Cloud-based productivity and collaboration tools and technologies
• Palo Alto: Cybersecurity firm that provides enterprise network security solutions
• Proofpoint: Security technology provider (e.g., email spam filter, employee cyber training)
• Nutanix: Information Technology platform that integrates infrastructure solutions
• Tenable: Vulnerability identification and management provider
• Zscaler: Zero Trust Exchange platform that helps protect against cyberattacks and data loss

If your organization uses the Salesloft Drift tool within any of your applications, including Salesforce, it is prudent to ensure the Salesloft Drift integration is disabled. Additionally, work with your information security team and relevant vendor(s) to identify potential data exfiltration. If your information had been breached, please contact HIROC via the contact information provided below.

HIROC Recommends the Following for our Subscribers
 

• Review the Google Threat Intelligence Report – Mitigate risks as required 
  (Widespread Data Theft Targets Salesforce Instance via Salesloft Drift).
• Assess vendor impact – Determine whether any of your critical vendors are impacted by the Salesforce or Salesloft Drift breach. Your critical vendors may contain support tickets from your organizations that may contain sensitive information. If your support tickets were exposed to a cyber threat actor, you will need to assess and determine your exposure.
• Educate your team – Ensure your team that works with external vendors understand risks around sharing sensitive information via service tickets with third-party vendors. Passwords, tokens, or any other credential-related data should never be shared through service tickets.  
• Rotate credentials regularly – As a precautionary measure, rotate credentials for all third-party accounts on a regular basis. Given the increasing frequency of data breaches, rotating and refreshing third-party tokens and credentials frequently helps protect your technology ecosystem.
• Enforce inbound Internet Protocol restrictions – Where possible, implement geo blocking, Internet Protocol restrictions and device level authentication to prevent breaches. It was reported by Okta that enforcement of inbound Internet Protocol restrictions prevented threat actors from using Salesloft Drift to access its environment.
• Never be uncertain alone – Always confirm directions with trusted sources.  

We are here for you!

In the event of a cyber loss, please contact Gareth Lewis, Vice President, Claims at [email protected] (416-471-4796), or HIROC’s Claims Department at [email protected].

For Healthcare Safety and Risk Management resources and advice, please contact us at [email protected].

If you have any questions about this Alert, please contact Kopiha Nathan, HIROC’s Privacy and Compliance Officer at [email protected] (416-730-3039).

Thank you for your vigilance and attention to this matter.

Additional Resources
 

• Google Threat Intelligence Group, Mandiant. (2025, August 26). Widespread data theft targets Salesforce instances via Salesloft Drift. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
• Hartman, Jeremy; Strubhart, Craig; Bourzikas, Grant. (2025, September 2). The impact of the Salesloft Drift breach on Cloudflare and our customers. Cloudflare Blog. https://blog.cloudflare.com/response-to-salesloft-drift-incident/
• Okta Security. (2025, September 2). The Salesloft incident: A wake up call for SaaS security and IPSIE adoption. Okta Newsroom. https://www.okta.com/newsroom/articles/the-salesloft-incident--a-wake-up-call-for-saas-security-and-ips/