Salesloft and Drift OAuth Incident Affecting Salesforce Data: What Happened and Our Response

Date: September 1, 2025

At Esker, protecting your data and communicating with transparency are core commitments. We are sharing details about a third-party incident that may have affected limited Salesforce data.

At a glance

• Incident type: Theft of Salesforce OAuth tokens used by Salesloft and Drift API integration 
• Where: Drift issue with Salesforce impact
• Status: Limited access to some Salesforce records 
• Other Esker systems: No access to other corporate Esker systems nor Esker customers cloud platforms
• Misuse: Risk of potential phishing by emails or voice calls

What happened

On August 25, 2025, Esker became aware of a security incident targeting Salesloft and Drift, marketing applications used by many Salesforce customers to automate sales workflows. In this incident, attackers obtained OAuth credentials associated with Esker’s Salesloft and Drift integrations and gained limited access to certain data in our Salesforce environment, from Aug 08 to Aug 18. The incident was contained as of Aug 18.

Scope

This incident was confined to our Salesforce environment, without any impact on other corporate Esker systems nor Esker customers cloud platforms.

What information may be affected

Our investigation indicates that potentially affected data is limited to content from Salesforce support cases, which may include:

• Names
• Business email addresses
• Job titles
• Phone numbers
• Plain text content from Support tickets, meaning this does not include attached files and images

At this time, we have no evidence of misuse of this information.

What we did

• We disabled Salesloft and Drift access to Esker’s Salesforce environment.
• We rotated relevant OAuth tokens and API credentials.
• We launched a detailed investigation, working closely with Salesforce.
• We proactively activated our dark web monitoring in order to detect leaked credentials.
• We initiated a third-party risk review for vendors with Salesforce with API access.

What you can do

• Stay alert for phishing or social-engineering attempts that reference your Esker activity or support cases. Esker will never ask for your credentials, such as a login or password.
• Verify the origin of any unsolicited communications claiming to be from Esker (emails or calls): we are only using official Esker channels to contact you.
• Never share passwords, MFA codes, or financial information in response to unofficial requests.
• Esker will never ask for your credentials by phone, SMS or unsolicited email.​
  

Need help

If you have concerns or want to report any issue related to suspicious phishing activity, you can contact our Support team through your secured Esker Support Hub account on https://support.esker.com/. We will provide updates should any new material information becomes available.