Salesloft Vulnerability: Exposed Support Tickets and Secrets Revealed

Could the process generate duplicates? Trigger automations? Push API usage beyond its limits? These are the questions on the table as Salesloft and Salesforce are resynchronized.

The two ecosystems had been disconnected for about ten days due to a vulnerability. The origin is now known: Salesloft’s GitHub account had been compromised. Between March and June 2025, content was downloaded from several repositories, a guest user was added, and workflows were put in place. In parallel, reconnaissance activities took place within the vendor’s application environments. In particular, the Drift chatbot, which ultimately served as the foothold on Salesforce instances.

The compromise of Salesloft’s GitHub account was followed by access to its AWS environment. API tokens (OAuth tokens) were retrieved. They opened the door to third‑party applications integrated with the Drift chatbot. Among them, Salesforce, of course, but not only. Google acknowledged that it was affected, notably at the level of its Workspace suite, via the Drift Email integration.

Secrets in Support Tickets

The flaw hit several IT solutions providers. Some admitted access to support tickets. Among them, Zscaler. It lists multiple fields potentially exposed: applicant identity, type of intervention, status, product involved, problem summary, action plan, and so on.

JFrog initially stated that third parties had accessed “certain data” from its Salesforce instance. The narrative evolved: ultimately, any information shared with its support system could have been compromised. This potentially includes secrets. The vendor has reached out to customers it believes may be affected.

PagerDuty nevertheless discusses the risk of secret leakage. It explains that it identified tickets in which customers had shared sensitive data — including API keys. Those affected were notified and the keys revoked.