Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances

Unit 42 has observed activity consistent with a specific threat actor campaign leveraging the Salesloft Drift integration to compromise customer Salesforce instances. This brief provides information about our observations and guidance for potentially affected organizations.

As detailed in a recent notification from Salesloft, from August 8-18, 2025, a threat actor utilized compromised OAuth credentials to exfiltrate data from affected customers’ Salesforce environments.

https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/