The Salesloft Breach: What Salesforce Customers Need to Know
When security headlines mention Salesforce, it’s easy to assume that Salesforce itself has been hacked. In the case of the recent Salesloft breach, however, that isn’t the story. Salesforce was not compromised. Instead, the issue came from a third-party integration, Salesloft, that many Salesforce customers rely on for sales engagement.
What Happened?
Salesloft, through its “Drift” application connected to Salesforce, experienced a security breach that exposed authentication tokens. These tokens are essentially digital keys that allow systems to talk to each other without constantly asking users to log in again.
Unfortunately, once attackers obtained those tokens, they weren’t limited to Salesforce data. However, Salesforce data can be quite lucrative. The stolen tokens could also be used to authenticate into entirely different systems where Salesloft integrations were active, such as Google Workspaces. In practical terms, this means attackers could potentially gain access to customer records, email, or other sensitive business data depending on how an organization had configured its Salesloft connections.
Why This Matters
Even though Salesforce itself was not breached, any Salesforce customer that used Salesloft integrations may have had sensitive data exposed. That includes customer records and other information that attackers could access using the stolen tokens. For many organizations, this may trigger regulatory or contractual obligations to notify customers and possibly regulators.
This incident underscores a critical reality: third-party applications can introduce serious risk, even when your core platform remains secure. Large enterprises often have dedicated vendor risk teams, but small and medium-sized businesses (SMBs) frequently struggle with the time, staff, and budget to manage third-party risk effectively. Unfortunately, SMBs are just as exposed, and in some cases, more vulnerable, because of limited resources.
The Bigger Lesson: Vendor and Third-Party Risk Management
This is a textbook example of why vendor and third-party risk management must be a priority for every organization, regardless of size. Integrations make businesses more efficient, but they also expand the attack surface. A security lapse at one vendor can cascade into your environment and ultimately impact your customers.
For SMBs especially, this means:
Understanding what third-party apps are connected to core platforms like Salesforce, AWS, Azure, etc.
Regularly reviewing and limiting what data vendors can access.
Having an incident response plan that accounts for third-party breaches.
Cybersecurity is no longer just about protecting your own systems, it’s also about the company you keep.
Important Note
The vendors listed below have disclosed their own impacts from the Salesloft Drift breach. This does not mean that simply using these vendors puts you at risk. The critical factor is whether your organization used Salesforce together with the Salesloft integration. If so, you may have obligations to assess exposure and notify customers. The reason for highlighting these disclosures is to underscore that no company is too large to be affected by third-party risk, which is why vendor risk management is essential.
References and Further Reading:
Salesforce Status Update (8/26/2025)
Rubrik on Third-Party Incident Response (8/26/2025)
Google Threat Intelligence Blog (8/26/2025)
HackerOne Incident Update (8/28/2025)
Tanium on Salesloft Breach (8/28/2025)
JFrog Analysis (8/29/2025)
PagerDuty Customer Update (8/29/2025)
Zscaler Response (8/30/2025)
Cloudflare Incident Response (8/29/2025)
Palo Alto Networks Response (8/29/2025)
SpyCloud Notification (8/29/2025)
Nutanix Incident Response (8/30/2025)
Vendor Impact Summary
| Vendor | Disclosed Impact |
|---|---|
| Salesforce | Core platform not breached; issue tied to third-party Salesloft Drift integration. |
| Rubrik | Acknowledged exposure via Salesforce connection; incident response underway. |
| Reported tokens could allow access beyond Salesforce (e.g., Google Workspace). | |
| HackerOne | Confirmed exposure, published update with mitigations. |
| Tanium | Salesforce instance impacted; rotated tokens and notified affected customers. |
| JFrog | Published security advisory and impact analysis. |
| PagerDuty | Some Salesforce data exposed, no platform impact. |
| Zscaler | Unauthorized access to Salesforce CRM data confirmed. |
| Cloudflare | Salesforce support case data accessed; tokens revoked. |
| Palo Alto Networks | Salesforce CRM contact and support records exposed; core services unaffected. |
| SpyCloud | Limited Salesforce CRM fields exposed. |
| Nutanix | Disclosed impact via Salesloft Drift; remediation and customer communication ongoing. |
Sources: