05 September 2025, 21:00 UTC

Fastly was impacted by the recent security incident involving Salesloft's Drift application. We have investigated and notified all Fastly customers affected. This incident was isolated to our Salesforce instance and did not impact any Fastly services, infrastructure, or products. This post includes a summary of our response and the customer outreach we’ve performed.

What Happened

Between August 13 and August 18, 2025, a threat actor (tracked as UNC6395 by Google Mandiant) exploited stolen OAuth tokens tied to the Drift integration to gain unauthorized access to Salesforce instances across many companies, including Fastly. The incident was contained on August 20, 2025 when Salesloft and Salesforce disabled the integration. We immediately began our own investigation, confirming that the malicious activity was isolated to our Salesforce instance and the data accessed was limited to case subjects, descriptions, and contact details. 

What We Did Immediately

After confirming containment, our security team took the following actions:

• Reviewed Salesforce audit logs for anomalous activity.

• Analyzed and removed other active Drift integrations out of an abundance of caution, confirming only the Salesforce integration was impacted.

• Reset OAUTH sessions by re-authenticating the integration account.

• Coordinated with Salesforce to verify containment and extract details not contained in audit logs.

• Analyzed query activities by the threat actor to identify the compromised data.

What You Can Do

We recommend customers rotate any credentials previously shared with Fastly in a support case. Additionally, to protect against potential follow-up attacks, please be cautious of unsolicited emails, calls, or requests for sensitive information. Remember, Fastly will never ask for your passwords or credentials.

Customer Notifications

We have distributed Fastly Service Advisories to impacted parties as of September 4. Fastly customers with superuser access on impacted accounts should have received an email notification of a new message in their Fastly control panel Message portal or a direct email from support@fastly.com. All other users on the impacted accounts will have received a Fastly Service Advisory to the Message portal within their control panel, and can view it upon their next log-in.

Customers who have not received a Service Advisory were not identified in our investigation as being impacted. If you have questions, please email support@fastly.com.