Salesforce Re-Enables Salesloft Integrations (Except Drift) Following Hacks

Salesforce has re-enabled integrations with Salesloft technologies, apart from Drift, after the application was targeted in a hacking campaign. 

On August 28, Salesforce announced that it had disabled the connection between Salesloft’s Drift app in response to a “recent security incident” – referring to the data theft attack which saw hackers target Salesforce instances through compromised OAuth tokens associated with Salesloft Drift.

In an update later that day, Salesforce said that they had disabled all integrations with Salesloft technologies, meaning organizations would not be able to connect to Salesforce via any Salesloft apps “until further notice”. 

Now, in a more recent update posted on September 7, Salesforce said that they had re-enabled integrations with Salesloft technologies, “with the exception of any Drift app”. 

The update explained: “Drift will remain disabled until further notice as part of our continued response to the security incident. This decision follows security measures and remediation steps implemented by Salesloft, which were independently validated by Mandiant.”

Salesloft said in a post on September 7 that an investigation carried out by cyber defense specialists Mandiant suggests that “the incident has been contained”.

Salesloft Hacks Explained

In this hacking incident, Salesforce customers were targeted through the third-party application, Salesloft Drift. 

Google Threat Intelligence Group (GTIG) said that the widespread data theft campaign started as early as August 8 and ran until at least August 18, carried out by the actor tracked as ‘UNC6395’. This is a different designation than that given to the ‘ShinyHunters’ group, which is said to be responsible for several recent social engineering attacks.

In this case, hackers targeted Salesforce instances through compromised OAuth tokens associated with Salesloft Drift.

Salesloft had initially indicated that customers who do not integrate with Salesforce were not impacted by the campaign. 

But GTIG revealed that the scope of the Drift hack was worse than previously thought, with new information revealing that the scope of the compromise was not exclusive to the Salesforce integration with Salesloft Drift – and OAuth tokens for the “Drift Email” integration were also compromised.

Salesforce disabled all integrations between Salesforce and Salesloft technologies, including the Drift app, and GTIG advised all Salesloft Drift customers to treat “any and all” authentication tokens stored in or connected to the Drift platform as potentially compromised.

In an update posted on September 2, Salesloft said that Drift would be taken down “temporarily” in order to boost its security. 

On September 7, Salesforce said it had re-enabled integrations with Salesloft technologies, apart from any Drift app, explaining that Drift would stay disabled “until further notice”.

Salesloft retained Mandiant to investigate the compromise of the Drift platform and its technology integrations.

On September 7, Salesloft posted an update on the incident revealing what Mandiant’s investigation had found about the incident. The post reads: “In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.

“The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments.

“The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.

“The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.

“The threat actor used the stolen OAuth tokens to access data via Drift integrations.”

Salesloft says that, as part of a comprehensive response, they performed containment and eradication activities, validated by Mandiant, in the Drift and Salesloft application environments.

This includes, but is not limited to:

• Isolating and containing the Drift infrastructure, application, and code.
• Taking the Drift Application offline.
• Rotating impacted credentials.
• Rotating credentials in the Salesloft environment.
• Performing proactive threat hunting of the environment and noting “no additional Indicators of Compromise” (IOCs) found.
• Rapidly hardening Salesloft environment against the known methods used by the threat actor during the attack.
• Threat hunting based on Mandiant Intelligence across Salesloft infrastructure and technologies, including IOC analysis; analysis of events associated with at-risk credentials based on threat actor activity; and analysis of events associated with activity that would permit the threat actor to circumvent Salesloft security controls.

Mandiant verified the technical segmentation between Salesloft and Drift applications and infrastructure environments, Salesloft said. 

“Based on the Mandiant investigation, the findings support the incident has been contained,” Salesloft said. “The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.”

Final Thoughts 

Security is often at the back of our minds, but recent news about data theft incidents should be evidence enough that preventing disaster should be a key concern for Salesforce professionals.  

Salesforce has previously stressed that the issue in this case did not stem from a vulnerability within the core Salesforce platform.