Security update: Salesforce–Salesloft Drift incident
Security researchers recently identified an attack against the Salesloft Drift application, which integrates with Salesforce. According to reports from Mandiant and the Google Threat Intelligence Group, a threat actor (UNC6395) exploited compromised OAuth integrations to gain limited access to Salesforce customer instances beginning August 8, 2025 through at least August 18, 2025. The primary aim is believed to be credential harvesting. The official Google Threat Intelligence Group report is available at this link.
This was a widespread incident and there’s nothing to suggest it involved the Brightcove platform.
Data potentially exposed
The data potentially exposed relates to Salesforce, which we use for some customer support purposes. This data may include the following:
-
- Standard business contact details (name, work email, phone, job title, company)
-
- Customer support interactions (notes, discussion points, call metadata, case descriptions potentially containing information shared during support interactions)
-
- Community activity for Bright Spot users (profile information, activity, posts)
-
- Event metadata for accounts with an active Live package add-on (event names, dates, times, locations)
Our response
As soon as we learned of the incident, and in collaboration with Salesforce and Salesloft, we revoked all OAuth tokens and disabled Drift integrations. We’re in regular contact with Salesforce as their investigation continues. We‘ll update this post with additional information, where relevant, until the matter is resolved.
Precaution
Incidents of this kind can sometimes be followed by phishing attempts. As a precaution, we encourage particular vigilance when it comes to unusual emails or requests for login details.
Brightcove Confidential
