Overview
- Salesloft said Drift will be taken offline "in the very near future" to enable a full security review, after revoking active tokens tied to the chatbot.
- Cloudflare reported exfiltration of Salesforce case text between August 12–17 and rotated 104 exposed Cloudflare API tokens out of caution.
- Palo Alto Networks, Zscaler, PagerDuty, SpyCloud and Tanium disclosed limited exposure of contact and support-case details with no impact to core products or infrastructure.
- Google’s Threat Intelligence Group and Mandiant attribute the spree to UNC6395/GRUB1 and estimate more than 700 organizations may be affected, with a very small number of Google Workspace email accounts accessed via Drift Email on August 9.
- Vendors advise customers to revoke and rotate credentials, review Salesforce and integration logs from August 8 onward, and stay alert for targeted phishing or credential-abuse attempts.