Salesloft announced that on September 5 it will temporarily disable its AI chatbot, Drift, after numerous companies were affected by a large-scale supply-chain attack targeting it. The incident resulted in the mass theft of authentication tokens.
Recall that last week it became known that hackers compromised the Salesloft sales automation platform and stole customers’ OAuth and refresh tokens from its AI agent, Drift, designed for integration with Salesforce (which is not related to Salesloft).
As Google representatives later reported, the attack lasted from August 8 to 18, 2025, was widespread, and affected, among other things, Google Workspace data.
Salesloft Drift is a platform for integrating the AI-powered Drift chatbot with Salesforce, allowing organizations to synchronize conversations, leads, and support cases with their CRM. To streamline workflows, Drift can also integrate with various services, including Salesforce and other platforms (Slack, Pardot, Google Workspace, and so on).
The developers explain that disabling Drift will provide the quickest way to perform a comprehensive analysis of the application and will also help strengthen the security of the application and its associated infrastructure, so it can be restored to full functionality.
“The Drift chatbot on customer websites will be unavailable, and all Drift features, including Drift Fastlane and Drift Email, will be disabled during this time,” the company says, but they have not yet provided exact dates for when the service will be restored.
The company emphasizes that its top priority at this time is ensuring the integrity and security of its own systems and customer data. As part of its incident response, Salesloft is working with cybersecurity experts from Mandiant and Coalition.
Google specialists attribute responsibility for this attack to a threat cluster codenamed UNC6395 (GRUB1 in Cloudflare’s classification). Researchers believe that the compromise of Salesloft Drift could potentially have affected more than 700 organizations.
Although it was initially believed that the data leak affected only Drift integrations with Salesforce, it later turned out that any platform integrated with Drift was vulnerable. Moreover, the method by which the attackers gained initial access to Salesloft’s Drift remains unknown.
Many major companies have already reported that this supply chain attack affected their systems. Among the impacted are the cybersecurity firms Zscaler, Proofpoint, and Palo Alto Networks; the SaaS platforms Workiva, PagerDuty, and Exclaimer; Cloudflare; and so on.