Salesloft has announced that it will temporarily take Drift offline after a large-scale cyberattack led to the theft of OAuth tokens from hundreds of organizations. The decision, revealed on Tuesday, comes after reports confirmed that attackers had compromised Drift’s systems, affecting many companies that rely on its chatbot and integration services.
Why Drift Is Going Offline
According to Salesloft, pausing Drift operations will allow its team to thoroughly review the application, strengthen its security framework, and ensure that customers’ data remains safe. This means that Drift chatbots on customer websites will no longer be visible, and the Drift platform itself will not be available during this downtime.
The company emphasized that safeguarding its systems and client data is its top priority. To support its response efforts, Salesloft has partnered with Mandiant and Coalition, two leading cybersecurity firms, to conduct a comprehensive investigation.
How the Attack Unfolded
The breach was first uncovered by Google Threat Intelligence Group (GTIG) and Mandiant, who disclosed that malicious actors had stolen OAuth and refresh tokens linked to Drift’s artificial intelligence chatbot. These tokens were then exploited to infiltrate Salesforce instances belonging to multiple customers.
The campaign began on August 8, 2025, and continued until at least August 18, 2025. During this period, attackers leveraged compromised tokens tied to the Salesloft Drift application to access Salesforce environments.
Cybersecurity researchers have attributed this attack to UNC6395 (also known as GRUB1). Google later confirmed to The Hacker News that over 700 organizations may have been affected.
Impact Beyond Salesforce
At first, it was believed that the incident was confined to Salesforce integrations. However, further analysis revealed that any platform integrated with Drift could be at risk. The exact method used by attackers to gain access to Drift remains unclear at this time.
In response, Salesforce has proactively disabled all Salesloft integrations with its platform as a precautionary measure.
Affected Organizations
Several well-known businesses have confirmed being directly impacted, including:
Cloudflare noted that this was not a one-off incident. Instead, it suggested that attackers likely harvested credentials and customer information for future targeted attacks. With hundreds of organizations caught in the breach, experts expect further malicious activity against compromised entities.
The Bigger Picture
The Salesloft Drift OAuth Token Theft highlights the growing risks associated with third-party software integrations. As businesses increasingly rely on cloud-based tools, attackers continue to exploit authentication mechanisms such as OAuth to gain access to sensitive systems.
Organizations are now urged to review their security configurations, rotate potentially exposed credentials, and monitor for unusual login attempts. Until Drift returns with enhanced safeguards, this incident serves as a major reminder of the importance of zero-trust principles and strict access controls.
