Salesforce-Connected Third-Party Drift Application Incident Response Update

Update for November 10, 2025

Status: Closed

HackerOne confirms that this matter is now fully resolved. The connector involved in this incident remains disabled, all credentials have been rotated, and remediation is complete. Accordingly, this incident is considered closed. 

Summary

Platform functionality remains unaffected, no lateral movement was detected, and there was no exposure of vulnerability data. 
 

This resolution reflects HackerOne’s ongoing commitment to transparency, rigorous security practices, and continuous improvement of internal controls. 

Contact and support

For questions or additional information regarding this incident or any other security-related matter, please contact support@hackerone.com.

HackerOne appreciates the continued trust of its customers and partners.

Update for September 11, 2025

HackerOne continues to investigate the recent Salesloft Drift incident, and we are posting here to update you on the status of our investigation as well as provide additional information we are able to share at this time.

Based on the information we have to date, a subset of HackerOne's Salesforce data was accessed via the Drift application on August 13th and August 18th. Both the dates and the indicators of compromise are consistent with what Salesloft has reported, which can be found at trust.salesloft.com.

We can confirm that all Salesforce Drift connectors are currently offline, and, as a precaution, we have rotated all relevant API and service credentials. Due to HackerOne's strict policies and controls governing data segmentation, we have no reason to suspect that the incident impacted or exposed any customer vulnerability data.  Nor have we found any indication of lateral movement.

We understand that you may still have questions about this incident, and we appreciate your patience as we continue our investigation. HackerOne has engaged a third-party forensics firm to ascertain what records were accessed, and we will communicate directly with impacted customers, as appropriate.

Original Post from August 28, 2025

Recently, hundreds of companies have been responding to an attack that resulted in unauthorized access to Salesforce records connected to the Drift (from Salesloft) application, a situation detailed in reports from Mandiant and others.

As part of our commitment to transparency, trust, and our company value of Default to Disclosure, we are writing to confirm that HackerOne is among the companies impacted by this incident. Our security team received notice of the potential compromise from Salesforce on Friday, August 22, and this was confirmed by Salesloft on August 23. HackerOne’s security team immediately initiated incident response procedures, working in partnership with Salesforce and Salesloft, to assess the scope and impact of this incident.

HackerOne’s investigation is ongoing, but we can confirm that a subset of records in our Salesforce instance was accessed via a compromise of the Drift application. Due to HackerOne’s strict policies and controls governing data segmentation, we have no reason to suspect that the incident impacted or exposed any customer vulnerability data.

We are continuing to conduct forensics on the records that were accessed and will communicate directly with any impacted customers, as appropriate.