Salesloft Drift incident overview and CyberArk’s response

September 3, 2025 Dor Liniado

Abstract image featuring smooth, flowing blue and white light waves against a dark background, creating a sense of motion and fluidity.

It was recently reported that Salesloft’s Drift application was breached, allowing unauthorized access to its customers’ Salesforce data and affecting hundreds of organizations, including CyberArk.

Upon learning of this incident, we quickly deployed threat containment measures, including terminating our Salesforce–Drift connection; disabling the Drift application and revoking all related user credentials; and rotating all Salesforce integration credentials. In addition, we engaged leading security experts to support internal forensics efforts to ensure that no threat actors were present in our systems. No further unauthorized activity was found.

Importantly, no customer data, such as API keys, credentials, session recordings, passwords and secrets, documents and files, was affected, nor was customer support case information. The data accessed by the threat actor was limited to that contained in our Salesforce CRM, and may include business contact information, account and conversation metadata, and summary fields. We are reaching out separately to affected customers. No CyberArk products or services were impacted.

CyberArk maintains a layered security program grounded in Zero Trust principles, which requires continuous verification of identities, strict application of least-privilege access, and robust monitoring of privileged activities. These controls, combined with identity-centric safeguards, materially reduced the potential impact of the recent third-party integration incident. In parallel, CyberArk’s third-party security program, covering vendor due diligence, contractual security obligations, and ongoing risk assessments, provides additional assurance that integrations are subject to governance and oversight. Taken together, these measures appear to have been effective in limiting exposure and preventing the incident from resulting in broader or more damaging outcomes.

While the scope of this incident remains limited, we urge you to remain alert. Please continue to be cautious of potential phishing attacks or social engineering attempts that may use exposed contact information.

Because other organizations have experienced similar incidents related to Salesloft Drift, it is important to be vigilant about unsolicited communications, such as emails, phone calls, or requests for sensitive information. Always verify who is contacting you and never share passwords or financial information through unofficial channels.

CyberArk will never ask for your authentication or authorization details through unsolicited contact like a phone call or text message. All official CyberArk communications come from our trusted, official channels.

CyberArk remains committed to high standards of security in all that we do. If you have questions, our teams are available through our customer support channels.

Dor Liniado is CyberArk’s chief information security officer (CISO).

No Previous Articles

Next Article
Securing cloud console and CLI access for agile software development
Securing cloud console and CLI access for agile software development

Fast-moving cloud environments demand speed, but without the right access controls they invite risk. Resour...