Salesloft Trust Portal September 13, 2025 at 1:19 AM
Important Update Regarding Drift Security
The following provides additional information to our trust site post on September 6, 2025, regarding our current Drift remediation and fortification efforts and those going forward. We are continuing our efforts on remediation and additional security controls.
We are focused on the ongoing hardening of the Drift Application environment. This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations.
Furthermore, we are implementing new multi-factor authentication processes and further refining limitations to the application environment. These measures are complemented by an ongoing analysis of available logs and configuration settings, as well as the remediation of secrets within the environment and GitHub hardening activities.
As a part of this process, we have systems that will be turned on over the weekend that may send you automated notifications originating from Drift. Please disregard these notifications as they are part of our security testing process. Until we provide you with a definitive update that the Drift application has been restored and re-enabled, it will remain inaccessible to customers and third party integrations.
All of this is focused on continuing to harden the Drift environment prior to and after re-enabling the Drift application — which we expect to be soon.
September 11, 2025 at 12:30 AM
Drift Status Update
Most Recent: We want to provide you with an update regarding the status of the Drift application while it is temporarily offline.
On Sept 6, we posted a trust site update detailing the initial results of our investigation and remediation efforts to date. While Drift is offline, Salesloft is working to confirm the root cause of the security incident and implement additional security measures to avoid similar incidents in the future and to restore the application as soon as possible. We hope to be able to provide an ETA soon for getting Drift back online.
At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.
The security of your data and operations remains our highest priority, and we are committed to providing a safe and secure platform for all users. Thank you for your patience during this time.
For ongoing updates, please subscribe to trust.salesloft.com.
September 07, 2025 at 9:20 PM
Salesforce/Salesloft Integration Is Restored
We are pleased to report that the integration between the Salesloft platform and Salesforce is now restored.
Salesforce users can once again leverage the full capabilities and integrations of the Salesloft platform with confidence. For more information, read our most recent trust site update.
While the connection between systems was disabled, both Salesloft and Salesforce continued to run independently. The Salesloft Customer Success team will be reaching out to you directly to help you with data reconciliation before we can re-enable your Salesforce sync. Once we connect with you, the restoration should be relatively quick.
The step-by-step process for re-syncing your data and activities between Salesloft and Salesforce can be found in this help article.
The security of your data and operations remains our highest priority, and we remain committed to providing a safe and secure platform for all users. Thank you for your patience during this time and for your continued partnership.
For assistance, please contact Customer Support at help.salesloft.com.
For ongoing updates, please subscribe to our trust site (trust.salesloft.com)
September 07, 2025 at 2:00 AM
Update on Mandiant Drift and Salesloft Application Investigations
On August 28, 2025, Salesloft retained Mandiant to investigate the compromise of the Drift platform and its technology integrations. The objectives of the investigation are to determine the root cause, scope of the incident, and assist Salesloft with containment and remediation. Mandiant was subsequently engaged to examine the Salesloft environment to determine if it was compromised and verify the segmentation between the Drift and Salesloft environments.
The following is an update as of September 6, 2025:
What Happened:
Mandiant’s investigation has determined the threat actor took the following actions:
In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.
The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments.
The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.
The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.
The threat actor used the stolen OAuth tokens to access data via Drift integrations.
Response and Remediation Activities:
As part of a comprehensive response, Salesloft performed containment and eradication activities, validated by Mandiant, in the Drift and Salesloft application environments, including but not limited to:
Drift Application Environment:
Isolated and contained the Drift infrastructure, application, and code.
The Drift Application has been taken offline.
Rotated impacted credentials
Salesloft Application Environment:
Rotated credentials in the Salesloft environment.
Performed proactive threat hunting of the environment and noted no additional Indicators of Compromise (“IOCs”) found.
Rapidly hardened Salesloft environment against the known methods used by the threat actor during the attack.
Threat hunting based on Mandiant Intelligence across Salesloft infrastructure and technologies:
IOC analysis.
Analysis of events associated with at-risk credentials based on threat actor activity.
Analysis of events associated with activity that would permit the threat actor to circumvent Salesloft security controls.
Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments.
Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.
salesforce.com Eoghan Casey
August 27, 2025
Learn how to detect, investigate, and respond to Salesforce security incidents with logs, permissions, and backups.
A guide to investigating Salesforce security incidents with logs, permissions, and backups to strengthen response and resilience.
I am increasingly asked by customers how to investigate potential security incidents in their Salesforce environments. Common questions are: What did a specific user do during that time? and What data was impacted? Every organization and incident is unique, and the answer to these questions depends on the specific situation, but there is some general guidance I can provide.
Three key sources of information for investigating a security incident in Salesforce environments are activity logs, user permissions, and backup data.
darkreading.com
Robert Lemos, Contributing Writer
August 22, 2025
Some insurers look to limit payouts to companies that don't remediate serious vulnerabilities in a timely manner. Unsurprisingly, most companies don't like those restrictions.
Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations' defenses.
Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability's half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated.
The limits could start showing up in companies' policies, however, if demand for cyber insurance continues to grow, creating a seller's market, says John Coletti, head of cyber underwriting at Coalition
"While we will not name names, there are specific examples of this occurring within the industry," he says. "A company should be highly skeptical of buying a policy with a CVE exclusion."
Cyber-insurance firms are struggling to find different ways to limit their vulnerability to large breaches and campaigns that hit a large number of policyholders. Following NotPetya, when companies used business insurance to cover disruptions to operations, efforts to deny payouts based on warlike-act exclusion clauses largely failed but led to enhanced wording in subsequent policies. Increasingly, cyber-insurance firms used data from policyholders or gleaned from cybersecurity assessments, or information from their own managed security services offerings to better determine risk.
Blame the Victim?
Yet requiring all companies to manage major vulnerabilities is a tall order. Currently, the software industry is on track to disclose more than 46,000 vulnerabilities in 2025, up from nearly 40,000 in 2024, according to the National Vulnerability Database (NVD). Of those, likely 30% would be considered of high or critical severity, typically defined as a Common Vulnerability Scoring System (CVSS) score of 8.0 or higher.
Hackers have tried to break into the email accounts of a select number of Washington Post journalists, according to an internal Washington Post memo obtained by CNN.
The Post discovered the “possible targeted” hack of its email system last Thursday, prompting the newspaper to reset login credentials for all its employees on Friday, Washington Post Executive Editor Matt Murray said in a memo Sunday to employees.
“Although our investigation is ongoing, we believe the incident affected a limited number of Post journalists accounts, and we have contacted those whose accounts have been impacted,” Murray said.
“We do not believe this unauthorized intrusion impacted any additional Post systems or has had any impact for our customers,” he added.
It was not immediately clear who was responsible for the hack. Journalists are regular targets for both state-backed spies, who are interested in tracking their reporting before it becomes public, and cybercriminals, who are interested in extorting news organizations.
A spokesperson for The Post declined to comment when asked who might be responsible for the hack.
On May 29, 2025, SentinelOne experienced a global service disruption affecting multiple customer-facing services. During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data. We apologize for the disruption caused by this service interruption.
The root cause of the disruption was a software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform. It was not a security-related event. The majority of SentinelOne services experienced full or partial downtime due to this sudden loss of network connectivity to critical components in all regions.
We’d like to assure our commercial customers that their endpoints were protected throughout the duration of the service disruption and that no SentinelOne security data was lost during the event. Protected endpoint systems themselves did not experience downtime due to this incident. A core design principle of the SentinelOne architecture is to ensure protection and prevention capabilities continue uninterrupted without constant cloud connectivity or human dependency for detection and response – even in the case of service interruptions, of any kind, including events like this one.
Victoria’s Secret hit by outages as it battles security incident
Fashion retail giant Victoria’s Secret said it is addressing a “security incident,” as its website and online orders face ongoing disruption.
Victoria’s Secret posted the brief statement on its website Wednesday. The company’s outages began earlier on Monday, as users have reported not being able to access the Victoria’s Secret website.
“We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution,” a spokesperson for Victoria’s Secret said in response to TechCrunch’s inquiries. The spokesperson did not provide their name nor describe the nature of the cybersecurity incident.
“We are working to quickly and securely restore operations,” the spokesperson said. The company said its stores remain open.
Victoria’s Secret closed down 7% on the news of the security incident.
Dear Friends, Neighbors, and Valued Cellcom/Nsight Customers,
Over the past five days, many of you have been impacted by a service disruption — and I want to begin by saying something simple, and deeply meant: I’m here.
While I’ve been closely involved from the very beginning, this is the first time I’m writing to you directly. That wasn’t because I didn’t want to — it was because I truly believed we’d be past this quickly. I stayed focused on the fix, confident that we’d be able to restore service fast.
We’ve always believed in being present, open, and accountable to the people we serve. That’s what this letter is about.
We experienced a cyber incident. While this is unfortunate, it’s not something we were unprepared for. We have protocols and plans in place for exactly this kind of situation. From the start, we’ve followed those plans — including engaging outside cybersecurity experts, notifying the FBI and Wisconsin officials, and working around the clock to bring systems safely back online.
The incident was concentrated on an area of our network separate from where we store sensitive information related to you, our Cellcom/Nsight family. We have no evidence that personal information related to you, your name, your addresses, your financial information, is impacted by this event.
Thanks to an incredible amount of hard work and tenacity, we achieved a major milestone last night. We are building on that success and expect to have the rest of service restored this week. Every part of this recovery is being handled with care and precision — we will not rush anything that compromises safety, security or trust.
For 115 years, as a company that began as a local telephone provider, we've understood that connection is everything. Generations of my family have had the privilege of serving generations of yours. We've grown and changed with the times, but our purpose has always remained the same: helping you stay connected to what matters most. We know this disruption has caused frustration and, for some, real hardship — and for that, I am truly sorry.
In the midst of it all, I’ve witnessed what makes this company special. Across the organization, people put mission ahead of role, put pride aside, and put the community first. We saw teams find creative solutions, take personal initiative, and step outside the bounds of job descriptions to make things right. That spirit — of care, urgency and accountability — has defined our response and will continue to shape our path forward.
To our employees — thank you. Your heart and grit during these trying days make me proud beyond words.
To our customers — thank you. Your patience, understanding and kindness mean the world to us. We’ve felt your support every step of the way, and we don’t take it for granted.
We know that gratitude alone isn’t enough — we’re taking responsibility. We’re covering the time you were without service, and then some.
Please know that we hear you, we appreciate you, and you have the very best team in the world on the case. I know we will be a better and stronger Cellcom/Nsight for this experience.
Warmly,
Brighid Riordan in cursive
Brighid Riordan
Luxury department store is forced to shut some systems but website and shops continue to operate.
Harrods has been hit by a cyber-attack, just days after Marks & Spencer and the Co-op were targeted.
The luxury department store is understood to have been forced to shut down some systems, but said its website and all its stores, including the Knightsbridge flagship, H beauty and airport outlets, continued to operate. It is understood the retailer first realised it was being targeted earlier this week.
Harrods said in a statement: “We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”
The retailer said it was not asking customers to take any action, indicating that it did not suspect data had been accessed. It added: “We will continue to provide updates as necessary.”
On April 26, an unauthorized user exploited a vulnerability with a GitHub workflow to gain unauthorized access to tokens, all of which have now been invalidated. At this time, our investigation has found no evidence of code modifications, unauthorized access to production systems, exposure of customer data, or access to personal information.
This update outlines what happened, what we’ve done so far, and the actions we are taking to prevent it from happening in the future.
Le réseau informatique de l'UCBA a été la cible d'une cyberattaque. L'association a immédiatement mis en place les mesures de sécurité nécessaires et a saisi les autorités compétentes. Une analyse approfondie sur les faits est en cours.
Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …
Zapier is notifying customers about a “security incident,” which involved an unauthorized user gaining access to the company’s code repositories and “certain custom information.”
La Sûreté de l'État est touchée par un grave incident de sécurité. Des pirates chinois ont détourné des courriels pendant deux ans, compromettant potentiellement des données sensibles du personnel.
Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…
Nominet, the U.K. domain registry that maintains .co.uk domains, has experienced a cybersecurity incident that it confirmed is linked to the recent
ICAO says the incident was allegedly linked to a hacker 'known for targeting international organizations'
BeyondTrust identified a security incident that involved a limited number of Remote Support SaaS customers. On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised. BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers.
12/12/24 While the security incident forensics investigation remains ongoing, there are no material updates to provide at this time. We continue to pursue all possible paths as part of the forensic analysis, with the assistance of external forensic parties, to ensure we conduct as thorough an investigation as possible. We continue to communicate, and work closely with, all known affected customers. We will continue to provide updates here until our investigation is concluded.
Amazon has launched AWS Security Incident Response, a service to help triage and respond to cybersecurity threats.
Version 1.1: October 18, 2024
