TruffleHog

What Happened
A widespread supply chain attack targeting Salesloft Drift has compromised data across hundreds of organizations, including major cybersecurity vendors such as Palo Alto Networks, Zscaler, and Cloudflare.

The threat actor, tracked as UNC6395, stole OAuth tokens from Drift’s Salesforce integrations between August 8 and August 18. These tokens allowed attackers to access Salesforce environments and exfiltrate data, including business contact information, sales account records, product licensing details, and in some cases, customer support case content. Cloudflare reported that API tokens and credentials shared in support tickets were among the compromised data.

Salesforce has since disabled all Salesloft Drift integrations, and Salesloft announced that the Drift platform will be taken offline while resiliency and security measures are rebuilt. Despite quick containment, the campaign has shown just how quickly a compromise of one SaaS platform can cascade across hundreds of organizations.

Indicators of Compromise (IOCs)
Cloudflare, among other victims, shared the following IOCs to aid detection and response efforts:

• Suspicious IP Addresses:
  • 208.68.36.90
  • 44.215.108.109
  • 154.41.95.2
  • 176.65.149.100
  • 179.43.159.198
  • 185.130.47.58
  • 185.207.107.130
  • 185.220.101.133
  • 185.220.101.185
  • 185.220.101.33
  • 192.42.116.179
  • 192.42.116.20
  • 194.15.36.117
  • 195.47.238.178
  • 195.47.238.83

• Malicious User-Agent Signatures:
  • Salesforce-Multi-Org-Fetcher/1.0
  • Salesforce-CLI/1.0
  • python-requests/2.32.4
  • Python/3.11 aiohttp/3.12.15
  • TruffleHog

These patterns should be queried within Salesforce logs, connected application logs, and identity provider (IdP) logs to identify potential exposure or abuse.

Why It Matters
Supply chain compromises have become a recurring theme in today’s interconnected enterprise environment. Even vendors dedicated to security found themselves at risk through integrations that extended their attack surface. By abusing OAuth tokens and Salesforce APIs, attackers were able to access data that could be used for highly targeted phishing, smishing, and impersonation campaigns.

Incidents like this show why organizations cannot rely solely on vendor assurances. Regular penetration testing can uncover weak integration points and help simulate how attackers might abuse connected applications. Vulnerability scanning programs provide ongoing checks for misconfigurations, insecure tokens, and unmonitored API endpoints. Managed SIEM services further strengthen defenses by detecting suspicious authentication activity and anomalous data queries across SaaS platforms.

In the aftermath of this attack, impacted organizations are being urged to rotate credentials, revoke unused OAuth tokens, and conduct thorough audits of Salesforce login histories, API access logs, and event monitoring data. These are standard best practices, but many companies do not have the internal resources to carry them out consistently. Partnering with a security provider for incident response and log review can make the difference between quickly detecting token misuse and letting an attacker operate undetected for weeks.

Takeaway
The Salesloft Drift incident reinforces a hard truth: SaaS platforms and third-party integrations are prime attack vectors. Threat actors understand that a single weak link in the supply chain can open doors to hundreds of organizations. By combining stolen tokens with social engineering, they increase the likelihood of success, using legitimate data to craft convincing lures.

Organizations need to adopt a zero trust mindset toward their SaaS ecosystem. Continuous assessment of vendor risk, proactive testing of integrations, and strong monitoring of authentication events are no longer optional. This is not just about one CRM tool being compromised, it’s about recognizing that every connection expands the attack surface.