Salesloft Drift Breach: What Happened and How Does It Affect Me? | UpGuard

A Mandiant-validated investigation into a 2025 Salesloft/Drift supply-chain compromise found an attacker accessed Salesloft GitHub repos, added persistent access, pivoted into the Drift application AWS environment, stole OAuth tokens for Drift integrations, and used those tokens to access and exfiltrate data from many organizations' Salesforce instances; the Drift environment was contained, credentials rotated, the Salesforce integration restored after reconciliation, and UpGuard published detection guidance, IOCs, and mitigation recommendations.