Cybersecurity Alert – Salesloft Drift AI Supply Chain Attack

Impact: All Firms

FINRA member firms should be aware of a supply chain attack leveraging data exfiltrated from Salesloft Drift—a third-party platform that connects the Drift AI chat agent with a Salesforce or Google Workspace instance, among others. The breach described below exposed data that could increase the risk of credential stuffing, spear phishing and social engineering attacks against member firms and their vendors. To date, we are aware of multiple impacted third-party vendors used by FINRA firms. FINRA has notified the member firms who use the affected vendors or Salesloft. 

We are sharing this Cybersecurity Alert with all member firms so they can determine if they or their vendors are also impacted, and take the recommended actions to protect their environments.

Summary

In August 2025, Salesloft experienced a supply chain breach through its Drift chatbot integration that impacted more than 700 organizations. The attack has been attributed to a threat cluster tracked as UNC6395 (also known as GRUB1). Threat actors stole OAuth authentication tokens that allowed them to impersonate the trusted Drift application and gain unauthorized access to customer environments. Using these tokens, the attackers accessed Salesforce, Google Workspace and—in some cases—Slack integrations, enabling the exfiltration of sensitive information. The scope of the compromised data varied by organization but commonly included business contact records including names, titles, emails and phone numbers, as well as Salesforce objects like Accounts, Contacts, Opportunities and Cases. In some cases, more sensitive material was also exposed, including API keys, Snowflake tokens, cloud credentials and passwords embedded in support cases. This stolen data aggravates the risk of credential stuffing, spear phishing, and social engineering attacks against member firms and their vendors. 

The breach targeted weaknesses in Salesloft’s Drift chatbot integrations rather than in Salesforce or Google Workspace directly. Investigators believe the attackers obtained valid OAuth and refresh tokens through prior phishing or social engineering campaigns. By leveraging these tokens, the threat actors bypassed traditional multi-factor authentication and impersonated Drift to move laterally into customer systems. Once inside, they performed reconnaissance and executed queries to systematically export data. To conceal their activities, they deleted query jobs and used infrastructure hosted on DigitalOcean and AWS to obfuscate their operations.

This incident is part of an ongoing wave of threat actor attacks targeting Salesforce software vulnerabilities. It highlights the risks inherent in trusted third-party integrations and the dangers posed by stolen OAuth tokens, which grant broad and persistent access across cloud applications. The breach underscores the importance of monitoring SaaS integrations, enforcing least-privilege access, and securing sensitive data stored in collaboration platforms.

Firms (and their third-party vendors) that use Salesloft or its Drift integrations are strongly encouraged to take immediate steps to protect their environments.

  • Disconnect all Salesloft integrations with Salesforce, Google Workspace and other platforms, and rotate any potentially exposed credentials, including API keys and tokens.
  • Conduct forensic reviews of audit logs in Salesforce, Google Workspace, and Slack to identify unauthorized access between Aug. 8, 2025, and Aug. 18, 2025. Particular attention should be given to unusual data exports or access patterns.
  • Monitor Salesloft’s trust portal for real-time updates and remediation steps.
  • Scan support cases and other communications for sensitive data that may have been exposed, and take steps to remediate any credential leakage.
  • Implement additional controls and remain vigilant regarding phishing or other follow-on attacks that may exploit the exposed contact information.

Going forward, firms can mitigate the risk of recurrence of this threat vector by applying least-privilege principles to third-party applications, enforcing stricter access controls and enhancing monitoring for SaaS integrations.

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.