Amid a wave of significant data breach disclosures from some of the world’s largest firms, Salesloft has announced that it’s pulling its Drift AI chatbot service offline. Hackers abused compromised Drift access tokens to infiltrate Salesforce instances.
Cloudflare, Zscaler, Palo Alto Networks, Google, and hundreds of other major companies have recently announced data breaches resulting from the compromised Salesforce instances.
The supply chain attacks stem from Salesloft Drift, a popular AI-powered marketing chatbot that companies use to engage customers. Hackers abused its integrations with Salesforce and other platforms to access sensitive customer data.
Salesloft announced that it has taken Drift temporarily offline.
“As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible,” the company said.
“This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality.”
The company also said it is working with cybersecurity partners from Mandiant and Coalition to resolve the issues as quickly as possible and to ensure the integrity and security of its systems and customers’ data.
“Thank you for your continued patience and understanding.”
Due to the ongoing investigations, Salesforce has also paused integration with Salesloft, despite the firm claiming that there are no indications of malicious activity associated with the Salesloft platform.
An alliance of three hacking groups, which feels “invincible” despite multiple arrests in the past, has claimed the cyberattacks. However, security researchers have yet to independently verify this. Google’s Threat Intelligence Group has attributed attacks to the threat actor tracked as UNC6395. UNC stands for uncategorized.
Google warns Drift customers to treat all authentication tokens stored in or connected to the platform as potentially compromised.
Cloudflare believes the incidents are not isolated and that the attackers intended to harvest credentials and customer data for future attacks.
“Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations,” Cloudflare warns.
The widespread data theft campaign from Salesforce instances began on August 8th and continued through at least August 18th, 2025. Before this, hackers also breached many Salesforce instances using voice phishing, tricking employees into installing malicious connected apps.
Your email address will not be published. Required fields are markedmarked