PRESS RELEASE

Salesloft Drift Incident: SpyCloud’s Response

At SpyCloud, we believe security starts with visibility into what criminals know about individuals and businesses. Our mission is to provide proactive identity threat protection, and we’re committed to keeping you informed about emerging risks and criminal activities that could impact your people and organization.

What Happened?

We were notified of a security incident involving a third-party application that potentially resulted in unauthorized access to data from Salesforce, our customer relationship management system.

As reported by Google’s threat intelligence team, an actor allegedly targeted Salesforce customer instances through compromised authentication tokens (OAuth) associated with the Salesloft Drift application. Drift was acquired by Salesloft in 2024. SpyCloud was previously a customer of Salesloft & Drift.

Immediately upon learning of the potential unauthorized access, we terminated the token access to our systems and began a full investigation of the incident internally.

No SpyCloud darknet data or systems related to our products were accessed through this Salesloft Drift incident.

Current Status

We are currently assessing the scope of impact as it relates to our Salesforce instance. At this time, the elements we believe were accessed are standard customer relationship management fields in Salesforce. Consumer data is not believed to have been accessed.

We notified our customers last week that data relating to their relationship with SpyCloud was exposed through this Salesloft Drift incident.

Access via the OAuth token that connected Salesloft Drift to Salesforce was disconnected immediately. We reviewed all systems and cloud based tools for any aspects of SalesLoft or Drift applications or integrations, and all integrations with Salesloft / Drift were deactivated. No further actor behavior has been identified. We are taking active measures to ensure our environment is secured.

Working with other security researchers, we believe hundreds of other Salesloft customers have been impacted.

We have not yet found evidence that the data exposed has been misused, but we continue to monitor and will provide updates if that changes.

What You Can Do

  • Be cautious of unusual communications related to your relationship with SpyCloud – for example, emails requesting or specifying payment terms.
  • If you are concerned about a communication from SpyCloud, contact security@spycloud.com or your customer success manager.



Additional information about the incident is available via:

Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

NEW: SpyCloud Investigations with AI Insights. Get finished intel in seconds

X