PagerDuty Confirms Breach as Hackers Access Salesforce Accounts

PagerDuty has proactively disabled Salesloft Drift’s OAuth integration with our Salesforce instance after a third-party vulnerability allowed unauthorized access.

No core PagerDuty credentials were compromised, but customers should remain vigilant against phishing attempts.

Incident Timeline and Technical Details

PagerDuty was alerted by Salesloft to a security flaw within the Drift application’s OAuth integration flow with Salesforce.

The situation escalated when Salesloft confirmed that attackers had exploited this flaw—specifically within the OAuth 2.0 authorization code grant process—enabling a threat actor to hijack the token exchange and access PagerDuty’s Salesforce data.

Crucially, PagerDuty’s native credentials, user passwords, and API keys remained secure.

Date	Event	Technical Impact
Aug 20, 2025	PagerDuty notified of Drift security issue	Identification of potential OAuth flow vulnerability
Aug 23, 2025	Salesloft confirms exploitation of OAuth authorization code grant	Possible unauthorized access via compromised access tokens
Aug 27, 2025	Salesloft issues mitigation steps for customers managing own Drift–third-party connections	Recommendation to rotate OAuth client secrets and refresh tokens
Aug 29, 2025	PagerDuty disables Drift’s OAuth integration with Salesforce; investigation continues	Revoked Drift API scopes; ensured principle of least privilege

Following Salesloft’s advisory, PagerDuty immediately:

• Revoked all active OAuth access tokens and client credentials associated with the Drift–Salesforce integration.
• Conducted an audit of our Salesforce audit logs to confirm no unauthorized queries or data exports occurred beyond basic account metadata.
• Engaged our security operations center (SOC) to monitor for anomalous API calls and potential lateral movement indicators.
• Coordinated with Google Threat Intelligence Group, Salesforce, and Salesloft to correlate Indicators of Compromise (IoCs) and YARA signatures across our environment.

Although no passwords or PagerDuty platform credentials were exposed, the OAuth breach may have revealed customer-facing data stored within Salesforce.

The potential data elements include

Data Type	Description	Recommended Mitigation
Names	Customer and contact person names	Verify legitimate requests via trusted channels
Phone Numbers	Business-line and mobile numbers	Ignore unexpected inbound calls
Email Addresses	Notification and support email addresses	Scrutinize email sender domains and URLs

Given the risk of social engineering, PagerDuty urges all users to exercise heightened caution

• Phishing Awareness: Attackers may use known names or contact information to craft convincing email lures. Always verify email senders via official PagerDuty support channels.
• Social Engineering: PagerDuty will never call to request passwords, 2FA codes, or secret tokens. Treat unsolicited requests with skepticism.
• Security Hygiene: Rotate any stored OAuth credentials and enforce multi-factor authentication (MFA) on all critical Salesforce administrator accounts.

PagerDuty remains committed to transparency and rigorous security practices.

We will continue to investigate this incident, update customers on any significant findings, and collaborate with industry partners to strengthen the security posture of integrated applications like Salesloft Drift.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post PagerDuty Confirms Breach as Hackers Access Salesforce Accounts appeared first on Cyber Security News.