September 2025 – Elastic confirmed that it was affected by a third-party security incident originating from a breach in the Salesloft Drift platform. Although Elastic’s core Salesforce systems remained secure, the event underscores the risk of interconnected SaaS tools and the importance of proactive incident response.
Incident Summary
- The chain reaction began when Salesloft Drift, a widely used sales-chat integration platform, suffered a cybersecurity breach.
- As part of Elastic’s operations, a Drift-connected email account was exposed, potentially allowing unauthorized, read-only access to incoming emails.
- During review, Elastic discovered a small number of inbound emails in that inbox contained potentially valid credentials, possibly revealing sensitive access information.
- In response, Elastic’s security team:
- Disabled the Drift integration across its systems.
- Launched a robust investigation, including reviewing access logs, network activity, and system configurations.
- Notified impacted customers via established channels—explicitly clarifying no other Salesforce or platform data was affected.
Why This Matters
- Third-party tools can be attack vectors. Drift’s integration acted as a conduit—even though Salesforce was unaffected for Elastic, credentials exposed through ancillary services pose real risks.
- Proactive response matters. Elastic promptly initiated incident response even before receiving direct notification—demonstrating excellent security posture.
- Communication builds trust. Transparent notification to affected clients, combined with swift containment actions, reinforces credibility and accountability.
Key Takeaways for Security Teams
Embed proactive incident response. Don’t wait for notification—kick off investigations at the first sign of upstream compromise.
Monitor all integrations. Even non-critical interfaces like email connectors should be reviewed regularly for exposure risks.
Enable rapid containment. Ensure you can disable third-party integrations quickly if compromise is suspected.
Audit incoming communications. Be wary of emails arriving through integrated tools—especially ones carrying credentials or access details.
Reassure stakeholders clearly. After assessment, communicate what was (and wasn’t) affected to maintain trust.
