Technical Overview

HackerOne has confirmed a security incident impacting its Salesforce environment, triggered by a compromise in Drift, a conversational marketing and sales automation tool now owned by Salesloft. The compromise exploited trusted OAuth and API connections between Drift and Salesforce, allowing unauthorized actors to pivot into Salesforce instances and exfiltrate accessible data.

This attack is part of a wider campaign affecting multiple organizations leveraging Salesforce integrations.

Timeline of Events

• August 22, 2025: Salesforce alerted HackerOne of suspicious activity related to Drift integrations.

• August 23, 2025: Salesloft confirmed Drift was affected by a breach. HackerOne triggered its incident response procedures, including token revocation, log correlation, and integration disabling.

• Post-confirmation: Forensic triage indicated API calls and data queries from unauthorized IP ranges, correlating to the same adversary infrastructure seen in other Salesforce/Drift exploitation campaigns.

Attack Vector & Methodology

1. Initial Compromise: Drift’s infrastructure was targeted. Adversaries leveraged vulnerabilities in Drift’s backend or authentication mechanisms to generate valid OAuth tokens or intercept existing session tokens.

2. Pivot to Salesforce: Once Drift was compromised, its connected app permissions within Salesforce provided lateral access. Because Drift is often granted broad marketing/sales permissions, attackers were able to query Salesforce objects.

3. Data Exposure: Preliminary evidence suggests attackers issued SOQL queries against limited data sets. HackerOne confirms customer vulnerability reports and sensitive bounty data were not impacted.

4. Persistence: Malicious tokens and API integrations may have allowed sustained access until Salesforce/Drift access tokens were revoked.

Potentially Impacted Data

• Salesforce CRM Records: Contact metadata, engagement history, and limited business communications.

• Access Logs: Indicators suggest data queries but not file attachments or classified submissions.

• Not Impacted: HackerOne clarified that vulnerability reports, bug bounty submissions, and security-sensitive researcher/customer data remained outside the compromised environment.

Incident Response Measures

• Integration Lockdown: Immediate revocation of Drift OAuth tokens within Salesforce.

• Forensic Investigation: Analysis of Salesforce API logs, token issuance history, and connected app audit trails.

• Threat Hunting: IOC correlation with adversary IP ranges and API abuse patterns identified across other Salesforce tenants.

• Customer Notifications: Direct outreach to potentially affected customers with tailored risk assessments.

Technical Lessons Learned

• Third-Party OAuth Risk: Applications integrated via OAuth often gain read/write API scopes far beyond their operational need, expanding the attack surface.

• Supply Chain Exploitation: Even hardened organizations like HackerOne remain vulnerable when dependencies like Drift are compromised.

• Audit Trail Importance: Salesforce’s event monitoring logs were crucial in identifying unauthorized API requests and scoping the breach.

• Segmentation & Data Isolation: Critical vulnerability data was protected because it resided in segregated storage systems outside the CRM environment.

Recommendations for Security Teams

1. Review OAuth/Connected Apps:

   • Audit all connected apps within Salesforce or equivalent platforms.

   • Restrict permissions to minimum required scopes.

2. Enable API Event Monitoring:

   • Continuously monitor anomalous API activity (e.g., high-volume SOQL queries, requests from unusual IPs).

3. Implement IP Restrictions:

   • Enforce login/IP allow-lists for all third-party app access.

4. Token Hygiene:

   • Rotate or revoke OAuth tokens periodically.

   • Monitor for stale/unused integrations.

5. Vendor Security Assessments:

   • Conduct penetration tests and third-party audits before onboarding SaaS integrations.

   • Mandate incident response playbooks from vendors like Drift/Salesloft.

Current Status

HackerOne, Salesforce, and Salesloft are jointly investigating the incident. Additional forensic details about the scope of compromised records and adversary infrastructure are expected in upcoming disclosures.

Organizations using Drift or other Salesforce-integrated applications are strongly advised to:

• Conduct a full token review,

• Inspect Salesforce event logs, and

• Immediately rotate API keys or OAuth tokens connected to Drift/Salesloft.

This breach highlights how even security-mature organizations are only as strong as their weakest integration.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.