PagerDuty Confirms Data Breach After Third-Party App Vulnerability Exposes Salesforce Data

Cybersecurity

PagerDuty has reported a security incident involving unauthorized data access within its Salesforce instance. The breach was attributed to a vulnerability in the Salesloft Drift application, which was exploited via its OAuth integration with Salesforce.

Incident Timeline and Impact

The issue was first identified on Sun, Aug 20, 2025, upon notification from Salesloft regarding a potential security vulnerability. By Wed, Aug 23, Salesloft confirmed that the OAuth integration had been compromised, allowing unauthorized access to PagerDuty’s Salesforce data.

Scope of the Breach

According to PagerDuty, the breach did not affect its platform credentials or other internal systems apart from Salesforce. The compromised data included customer contact details such as names, phone numbers, and email addresses, raising concerns over potential phishing and social engineering attacks.

Security Measures and Recommendations

PagerDuty has disabled Salesloft Drift’s access to its Salesforce data and is conducting an investigation. Customers are advised to be vigilant, as official communication from PagerDuty will only occur through verified support channels, and no secure information will be requested via phone.

Industry-Wide Impact

This security event is part of a broader issue affecting users of the Salesloft Drift application. Salesloft, Salesforce, and Google’s Threat Intelligence Group have published technical details regarding the vulnerability.

Salesloft released further guidance on Sun, Aug 27, for customers managing third-party application integrations, reflecting ongoing efforts to mitigate the vulnerability’s industry-wide impact.

Ongoing Monitoring and Updates

PagerDuty continues to closely monitor the situation and will provide updates as the investigation advances. Customers are encouraged to report any suspicious communications.

Reported Victims

• Palo Alto Networks: Exposure of business contact information and internal sales data.
• Zscaler: Access to customer information, including names, contact details, and support content.
• Google: Limited access to Workspace accounts through compromised tokens.
• Cloudflare: Unauthorized access and theft of customer data from Salesforce.