Updated September 4, 2025, to include the following passage:
- Information shared may include credentials, such as client secrets, API tokens, and passwords. These should be considered compromised. We strongly encourage customers to rotate any credentials that they may have shared with us via support interactions.
The incident
Security researchers recently identified an attack against the Salesloft Drift application, which integrates with Salesforce. According to reports from Mandiant and the Google Threat Intelligence Group, a threat actor (UNC6395) exploited compromised OAuth integrations to gain limited access to Salesforce customer instances beginning August 8, 2025 through at least August 18, 2025. The primary aim is believed to be credential harvesting. The official Google Threat Intelligence Group report is available at this link.
This was a widespread incident and there’s nothing to suggest it involved the Brightcove platform.
Data potentially exposed
The data potentially exposed relates to Salesforce, which we use for some customer support purposes.
This data may include the following:
-
- Standard business contact details (name, work email, phone, job title, company)
-
- Customer support interactions (notes, discussion points, call metadata, case descriptions potentially containing information shared during support interactions)
- [Added] Information shared may include credentials, such as client secrets, API tokens, and passwords. These should be considered compromised. We strongly encourage customers to rotate any credentials that they may have shared with us via support interactions.
- Customer support interactions (notes, discussion points, call metadata, case descriptions potentially containing information shared during support interactions)
-
- Community activity for Bright Spot users (profile information, activity, posts)
-
- Event metadata for accounts with an active Live package add-on (event names, dates, times, locations)
Our response
As soon as we learned of the incident, and in collaboration with Salesforce and Salesloft, we revoked all OAuth tokens and disabled Drift integrations. We’re in regular contact with Salesforce as their investigation continues. We‘ll update this post with additional information, where relevant, until the matter is resolved.
Precaution
Incidents of this kind can sometimes be followed by phishing attempts. As a precaution, we encourage particular vigilance when it comes to unusual emails or requests for login details.
[Added] We strongly encourage customers to rotate any credentials that they may have shared with us via support interactions.
Brightcove Confidential
