Proofpoint, SpyCloud, Tanium, and Tenable confirm exposure of Salesforce data in widespread supply chain attack

The recent Salesforce–Salesloft Drift breach is rapidly shaping into one of the most significant supply chain incidents of 2025. What began as a single integration exploit has cascaded across the cybersecurity landscape, compromising sensitive data from some of the industry’s biggest names — including Proofpoint, SpyCloud, Tanium, and Tenable.

What Happened

 

On August 26, 2025, Google’s Threat Analysis Group disclosed that a state-backed actor, tracked as UNC6395, had been abusing compromised OAuth tokens tied to the third-party AI chatbot integration Salesloft Drift. This exploit enabled attackers to siphon off large volumes of data directly from Salesforce instances.

Targeted data included:

  • AWS keys and credentials

  • Passwords and session tokens

  • Snowflake-related access tokens

Originally thought to only affect organizations that directly used Drift, the attack was soon found to extend to a much broader set of Salesforce customers. Within days, Google Workspace customers and security leaders such as Cloudflare, Palo Alto Networks, and Zscaler confirmed exposure.

The scope is massive — industry estimates suggest more than 700 organizations may have been impacted.

How Cybersecurity Firms Were Hit

 

  • Proofpoint: Attackers accessed its Salesforce tenant through the Drift integration but did not touch products, services, or internal networks.

  • SpyCloud: Exposed standard CRM data but no consumer or end-user information. Customers were notified of the incident.

  • Tanium: Confirmed unauthorized access to Salesforce records such as names, emails, phone numbers, and location references, but stressed that its platform and systems remained secure.

  • Tenable: Breach included support case data and business contact details. The company immediately rotated credentials, removed Drift, and enhanced monitoring.

 

Why This Matters

 

This breach underscores the hidden risks of third-party integrations in modern SaaS ecosystems. Even organizations with world-class defenses can be compromised when trust chains are broken. The attack demonstrates how supply chain vulnerabilities — especially OAuth token abuse — can be leveraged at scale to harvest sensitive enterprise data.

What Organizations Should Do Now

 

  • Audit integrations: Review all third-party apps connected to critical SaaS platforms like Salesforce.

  • Revoke unused tokens: Disable or rotate OAuth credentials regularly.

  • Harden monitoring: Implement continuous monitoring of SaaS logs for unusual data export activity.

  • Zero-trust mindset: Apply least privilege and conditional access controls to SaaS integrations.

  • Incident response prep: Ensure your IR playbooks account for third-party SaaS risks.

 

 

Final Takeaway

 

This incident is a wake-up call: even cybersecurity leaders are not immune when attackers exploit weak links in SaaS supply chains. Organizations of all sizes must reassess their exposure to third-party integrations and adopt a more vigilant, zero-trust approach to cloud security.