Elastic Security Incident – Hackers Accessed Email Account Contains Valid Credentials

Elastic has disclosed a security incident stemming from a third-party breach at Salesloft Drift, which resulted in unauthorized access to an internal email account containing valid credentials.

While the company’s core Salesforce environment was not impacted, the incident exposed sensitive information contained within a limited number of emails.

The chain of events began on August 26, 2025, when Salesloft Drift publicly disclosed a security incident affecting its platform.

A subsequent in-depth report from Google’s Threat Intelligence Group detailed the threat actor’s activities related to the breach.

As a customer using Drift for certain business applications, Elastic initiated its incident response protocols to investigate any potential impact proactively.

Although Elastic was not directly notified of being affected, its security team launched an immediate investigation to determine if any company or customer data was exposed.

Scope Of The Impact

Elastic’s investigation confirmed that its Salesforce environment was not compromised. However, the team discovered that a single email account had been exposed through the “Drift Email” integration.

This exposure may have granted an unauthorized actor read-only access to emails received in that specific inbox.

After conducting a scan of the inbox’s contents, security personnel identified a small number of inbound emails that included potentially valid credentials.

In response to this discovery, Elastic notified the customers who were potentially affected through existing support channels.

The company has stated that any customer who did not receive a direct notification was not identified as being impacted by this credential leak.

Immediately after learning of the Drift incident, Elastic’s Information Security team took decisive action to contain the threat and assess the damage.

The team launched a comprehensive investigation, reviewing access logs, network activity, and system configurations to determine the extent of the data exposure.

A critical first step was to disable all Drift integrations within Elastic’s environment, thereby eliminating any further risk from the compromised third-party platform.

Concurrently, the team monitored open-source intelligence for Indicators of Compromise (IOCs) and coordinated with Drift’s security team to gather additional information.

Elastic has affirmed its commitment to transparency and protecting customer data, and its team continues to monitor for new information related to the event.

Confirmed victims of this supply chain attack include:

• Palo Alto Networks: The cybersecurity firm confirmed the exposure of business contact information and internal sales data from its CRM platform.
• Zscaler: The cloud security company reported that customer information, including names, contact details, and some support case content, was accessed.
• Google: In addition to being an investigator, Google confirmed a “very small number” of its Workspace accounts were accessed through the compromised tokens.
• Cloudflare: Cloudflare has confirmed a data breach where a sophisticated threat actor accessed and stole customer data from the company’s Salesforce instance.
• PagerDuty has confirmed a security incident that resulted in unauthorized access to some of its data stored in Salesforce.
• Tenable has confirmed a data breach that exposed the contact details and support case information of some of its customers.
• Qualys has confirmed it was impacted by a widespread supply chain attack that targeted the Salesloft Drift marketing platform, resulting in unauthorized access to a portion of its Salesforce data.
• Dynatrace has confirmed it was impacted by a third-party data breach originating from the Salesloft Drift application, resulting in unauthorized access to customer business contact information stored in its Salesforce CRM.