Cybersecurity
Elastic has announced a security incident due to a third-party breach at Salesloft Drift, resulting in unauthorized access to an internal email account containing valid credentials.
The company’s core Salesforce environment remains unaffected, although sensitive information within a limited number of emails was exposed.
The incident was publicly disclosed by Salesloft Drift on Sat, Aug 26, 2025. Elastic used Drift for certain business applications and proactively initiated incident response protocols to assess potential impacts.
Scope of the Impact
Elastic’s investigation confirmed that its Salesforce environment was uncompromised. However, a single email account was exposed through the “Drift Email” integration, possibly allowing unauthorized read-only access to emails in that inbox.
A scan of the inbox revealed a small number of inbound emails containing potentially valid credentials. Elastic notified affected customers through existing support channels. Customers not directly notified were not impacted by the credential leak.
Elastic’s Information Security team acted promptly to contain the threat. They reviewed access logs, network activity, and system configurations to determine data exposure extent. All Drift integrations within Elastic’s environment were disabled to mitigate further risks.
The team monitored open-source intelligence for Indicators of Compromise (IOCs) and collaborated with Drift’s security team for additional information.
Elastic remains committed to transparency and customer data protection, continuing to monitor for new developments.
Confirmed Victims of the Supply Chain Attack:
- Palo Alto Networks: Business contact information and internal sales data from its CRM platform were exposed.
- Zscaler: Customer information, including names, contact details, and some support case content, was accessed.
- Google: A “very small number” of Workspace accounts were accessed through compromised tokens.
- Cloudflare: A sophisticated threat actor accessed and stole customer data from the Salesforce instance.
- PagerDuty: Unauthorized access to some data stored in Salesforce was confirmed.
- Tenable: Exposed contact details and support case information of some customers were confirmed.
- Qualys: Unauthorized access to a portion of its Salesforce data was confirmed.
- Dynatrace: Unauthorized access to customer business contact information stored in its Salesforce CRM was confirmed.
