The Saga Continues: More Dirt on the Salesforce–Drift Breach

When we first covered the Salesforce–Drift breach, we knew it was bad. Now it’s clear the impact is even bigger. Hundreds of organizations — including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, Rubrik, and even financial firms like Wealthsimple — have confirmed they were affected. The root cause? A compromised GitHub account that opened the door to Drift’s AWS environment and gave attackers access to Salesforce and other cloud integrations. 

In Part 2, Sherri Davidoff and Matt Durrin dig into the latest updates: what’s new in the investigation, why more victim disclosures are coming, and how the GitHub compromise ties into a wider trend of supply chain attacks like GhostAction. They also share practical advice for what to do if you’ve been impacted by Drift — or if you want to prepare for the next third-party SaaS compromise. 

Tips for SaaS Incident Response: 

1. Treat this as an incident: don’t wait for vendor confirmation before acting. There may be delays in vendor disclosure, so act quickly. 


2. Notify your cyber insurance provider: 
   
   
   
   • Provide notice as soon as possible. 
   
   
   • Insurers may share early IOCs, coordinate with vendors, and advocate for your org alongside other affected clients. 
   
   
   • They can also connect you with funded IR and legal resources. 
   
   
   
   


3. Engage external support: 
   
   
   
   • Bring in your IR firm to investigate and document. 
   
   
   • Work with legal counsel to determine if notification obligations are triggered. 
   
   
   
   


4. Revoke and rotate credentials: 
   
   
   
   • Cycle API keys, OAuth tokens, and active sessions. 
   
   
   • Rotate credentials for connected service accounts. 
   
   
   
   


5. Inventory your data: 
   
   
   
   • Identify what sensitive Salesforce (or other SaaS) data is stored. 
   
   
   • Check whether support tickets, logs, or credentials were included. 
   
   
   
   


6. Search for attacker activity: 
   
   
   
   • Review advisories for malicious IPs, user agents, and behaviors. 
   
   
   • Don’t rely solely on vendor-published IOCs — they may be incomplete. 
   
   
   
   

References: 

• Google Cloud Threat Intelligence Blog – Data theft in Salesforce instances via Salesloft Drift 

• BleepingComputer – Salesloft March GitHub repo breach led to Salesforce data theft attacks 

• Dark Reading – Salesloft breached GitHub account compromise 

• BleepingComputer – Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack 

• LMG Security Blog – Third-Party Risk Management Lessons 

#salesforcehack #salesforce #SalesforceDrift #cybersecurity #cyberattack #databreaches #datasecurity #infosec #informationsecurity