Ongoing Security Response to Third-Party App Incident

Update 2: Sunday, 7 Sept 2025 5:30p.m. UTC

Salesforce has re-enabled integrations with Salesloft technologies, with the exception of any Drift app. Drift will remain disabled until further notice as part of our continued response to the security incident. This decision follows security measures and remediation steps implemented by Salesloft, which were independently validated by Mandiant.

For Salesloft's latest investigation and remediation updates, see the latest here.

*****

Update 1: Thursday, 28 Aug 2025 7:23 p.m. UTC

Salesforce has disabled all integrations between Salesforce and Salesloft technologies, including the Drift app. As a result, organizations will not be able to connect to Salesforce via any Salesloft apps until further notice. Our teams are continuing to assess the situation, and we will provide further updates as appropriate. 

*****

At Salesforce, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take the protection of your data very seriously. We want to inform our customers about a recent security incident involving the Drift app, published by Salesloft, that was installed by individual customers. Salesforce security teams detected unusual activity that may have resulted in unauthorized access to a small number of customers’ orgs data via the app's connection to Salesforce.

It is important to note that this issue did not stem from a vulnerability within the core Salesforce platform, but rather from a compromise of the Drift app's connection.

Upon detecting the activity, Salesloft, in collaboration with Salesforce, invalidated active Access and Refresh Tokens, and removed Drift from AppExchange. We then notified affected customers. On August 28, 2025, at 04:09 a.m. UTC, Salesforce has disabled the connection between the Drift application and Salesforce. Customers will not be able to connect the Drift application until further notice. 

To ensure the security of your Salesforce environment, it is crucial to regularly rotate the tokens for all connected applications. This practice helps protect your data by minimizing the risk of unauthorized access. We recommend setting up a routine schedule for token rotation to maintain the integrity and security of your integrations.

As our continuous threat monitoring progresses, we are committed to keeping you informed with the latest updates. 

Moving forward, all new updates and resources to assist our customers will be shared via this help article. Your security is our top priority, and we appreciate your understanding and cooperation during this time.

Helpful Resources

• How to run bulk SOQL queries 

• How to Interpret SOQL queries

Helpful Articles

• Salesforce Trust Post - Unusual Activity in a Third Party Connected App

• Mandiant Blog - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

• Salesloft Trust Post - Drift/Salesforce Security Notification 
• The Impact of the Salesloft/Drift Breach on Cloudflare and our Customers