The recent Salesforce data breach involving the Salesloft-acquired application Drift, highlights an often-overlooked vulnerability: fourth-party risk. 

When you trust a vendor with your data, you’re also trusting every application and partner they use. If your vendor's security is compromised by one of their partners, the risk passes directly to you and your customers.

What can we learn from this breach, and how can you choose outsourcing partners who will keep your data — and your customers’ data — safe and secure?

What Happened with the Drift and Salesforce Data Breach?

Starting as early as August 8, 2025, a threat actor targeted Salesforce customer instances through a compromised OAuth token associated with Salesloft Drift. This allowed the actor to export and analyze large volumes of data, searching for credentials and sensitive data that could be exploited to breach connected systems.

By August 20, Salesloft had worked with Salesforce to revoke all active access tokens for the Drift application and had removed it from the AppExchange until they resolved the issue a few weeks later.

How did this happen? A core weakness in the acquired application's AI infrastructure was exploited, forcing the chatbot platform offline and leaving many companies without vital customer support — and at risk of exposing sensitive customer data.

It’s a familiar tradeoff: speed to market vs. responsible deployment. Companies racing to launch AI tools quickly sometimes take on risks they can’t see until it’s too late.

How to Make Sure Your Partners Protect Your Data

When you bring on a vendor, you’re also bringing on their tech stack and any risks tied to their applications and vendors.

Here are a few questions you should ask as you evaluate potential partners and how they manage risk:

• What does your security infrastructure look like? A trustworthy partner will be transparent about their security architecture. They should be able to explain how they protect data with encryption, role-based access, and other security measures.

• What are your IT Operations Security (OpSec) practices? This includes everything from how they handle data to how they monitor for threats. For example, look for partners who use tools like the Island Enterprise Browser to control agent access and prevent data exfiltration.

• What are your vendor management policies? Your partner should have a clear process for vetting their own vendors. Ask them how they evaluate the security and compliance of the third-party tools they use.

The right outsourcing partner will have robust, transparent security protocols, application risk management strategies, and a commitment to protecting your data at every level.

We Take Your Data Security Seriously

The Drift breach eroded customer trust. Even after the application came back online, you may be hesitant to use it again.

At SupportNinja, we build CX operations with data security at their foundation. Our Privacy-First Principle means that privacy is embedded into every system and workflow by design.

We use HITL tuning and synthetic data to train our AI models, never customer data. We also maintain annual audited compliance with GDPR, HIPAA, SOC 2, and PCI-DSS to ensure your data is always secure.

If you’ve been impacted by the Drift breach or are re-evaluating your vendors’ security, we can help you build a more secure foundation for your CX operations. Let’s talk.