Salesloft “Drift” Chatbot Breach – ChargePoint’s Response and Next Steps Team ChargePoint | Inside ChargePoint

Incident Overview

In August 2025, a third-party security breach impacted Salesforce customers who use the Salesloft "Drift" chatbot integration. This breach was part of a global supply chain attack that affected more than 700 organizations, carried out by a state-sponsored threat group tracked as UNC6395. Below we will explain what the "Drift" Chatbot is, what happened, and how we're responding to protect your information going forward.

What is the "Drift" Chatbot and how is it utilized?

The "Drift" Chatbot functions as an automated chatbot agent. Upon accessing the ChargePoint website, customers were able to initiate a conversation with the Chatbot by clicking a designated icon on the page. The Chatbot was designed to collect essential information from customers and synchronize it with ChargePoint's Salesforce information so we can help customers find the products they are looking for.

Incident Description & Impact

The incident occurred on August 8th and was confirmed and contained by the ChargePoint security team on August 21st. Data available from the breach included customer information (such as customer business card information, shipping addresses, support cases) as well as API keys used by secondary systems. The incident did not stem from any vulnerability in the Salesforce platform; instead threat actors exploited the trust placed on third-party integrations to bypass the default information security controls and restrictions.

How was the system exploited?

ChargePoint has uncovered the following actions through forensic evidence and Salesforce event logs.

• Attackers exploited OAuth tokens linked to the Drift integration for unauthorized API access to Salesforce
• Compromised OAuth tokens allowed attackers to authenticate against Salesforce APIs without user interaction or multi-factor authentication.
• Attackers executed structured queries (SOQL) to extract data from Salesforce objects.
• Advanced operational security was demonstrated by attackers as they attempted to delete query jobs to conceal activities.

Our Response and Investigation

As soon as we learned of this incident, we immediately disabled the compromised "Drift" Chatbot integration on our site and in our Salesforce environment, and launched a thorough investigation. We have also reset all tokens, and re-authentication procedures have been successfully executed.

Ongoing Investigation and Next Steps

We take this incident very seriously and we are committed to continuing our investigation in coordination with Salesforce, Salesloft and external security partners. The vulnerable third-party remains disabled and it will not be re-enabled unless we are fully confident in its security on behalf of our customers. Additionally, Salesforce and Salesloft have taken steps globally to revoke compromised tokens and remove "Drift" Chatbot integrations from all digital stores pending further security improvements.

Guidance for Customers

While the investigation is ongoing, we encourage all customers to remain vigilant and take a few precautionary steps in light of this incident:

• Be alert for Phishing or Fraudulent Communications: Because some contact information may have been exposed, be extra cautious about unsolicited communications as attackers might use these details to impersonate our company or others.
• Verify Contacts and links: Only trust messages from official enterprise email addresses and be wary of links
• Credentials Hygiene: If you have ever shared any secret keys, access tokens or passwords with our support team, we recommend rotating or changing those credentials as a precaution.

We appreciate your business, and thank you for being a ChargePoint customer.