Salesforce Breach Through Salesloft Drift Hits Google, Cloudflare, and 750 Firms

Beginning in July 2025, several high-profile companies reported breaches of their Salesforce CRM (Customer Relationship Management) systems, in which attackers exploited unknown methods to gain access, log into the platforms, and exfiltrate database contents.

Among those affected were two major technology firms—Cloudflare and Google—whose CRM databases were also compromised. Fortunately, the volume of exposed data from these companies was relatively limited.

At first, investigators suspected that the breaches were the result of social engineering or phishing campaigns aimed at tricking employees into granting CRM access. However, the true cause has since come to light: the American marketing firm Salesloft had itself been infiltrated by hackers.

Based in Georgia, Salesloft operates a platform called Salesloft Drift, which provides customers with tools for management and marketing, and integrates directly with Salesforce CRM via APIs. The breaches at Google and Cloudflare ultimately stemmed from attackers exploiting vulnerabilities in this Drift platform to obtain Salesforce access.

On September 7, 2025, the company issued a security update, revealing that hackers had been attempting to target its GitHub repositories as early as March through June of that year—and had succeeded. Once inside, the attackers were able to download repository data, create new users, and even establish automated workflows. During this period, they also leveraged Salesloft and Drift infrastructure for reconnaissance to identify and extract more valuable information.

Eventually, the attackers compromised the AWS environment used by Salesloft Drift, gaining OAuth credentials belonging to customers such as Cloudflare and Google. These tokens allowed them to siphon off data that had been consolidated through the Drift platform.

Although Salesloft moved to contain the breach—isolating systems and rotating exposed credentials—the discovery came too late. By then, the attackers had already used the stolen tokens to access sensitive data across numerous enterprises.

According to an investigation by Nudge Security, the current estimate is that at least 750 Salesloft customers were compromised. Many organizations, however, may still be unaware of the theft—likely to discover the truth only when extortion emails begin arriving from the attackers.

Related Posts:

• Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
• Cloudflare Confirms Supply Chain Attack, Customer Support Data Exposed