Elastic Security Incident: Unauthorized Access to Email Account with Valid Credentials

Elastic has disclosed a security incident resulting from a third-party breach at Salesloft Drift, which led to unauthorized access to an internal email account containing valid credentials. While the company’s core Salesforce environment remained unaffected, the incident did expose sensitive information within a limited number of emails. The sequence of events began on August 26, 2025, when Salesloft Drift publicly announced a security incident impacting its platform. An in-depth report from Google’s Threat Intelligence Group subsequently detailed the activities of the threat actor involved in the breach. As a customer utilising Drift for specific business applications, Elastic proactively initiated its incident response protocols to investigate any potential impact. Although Elastic was not directly informed of being affected, its security team promptly launched an investigation to ascertain whether any company or customer data had been compromised.

The investigation confirmed that Elastic’s Salesforce environment was not compromised. However, the team discovered that a single email account had been exposed through the “Drift Email” integration. This exposure may have allowed an unauthorized actor read-only access to emails received in that particular inbox. Following a thorough scan of the inbox’s contents, security personnel identified a small number of inbound emails that contained potentially valid credentials. In response to this finding, Elastic notified customers who were potentially affected through existing support channels. The company clarified that any customer who did not receive a direct notification was not identified as being impacted by this credential leak. Upon learning of the Drift incident, Elastic’s Information Security team took decisive action to contain the threat and assess the damage. They launched a comprehensive investigation, reviewing access logs, network activity, and system configurations to determine the extent of the data exposure. A critical first step involved disabling all Drift integrations within Elastic’s environment, thereby eliminating any further risk from the compromised third-party platform. Concurrently, the team monitored open-source intelligence for Indicators of Compromise (IOCs) and coordinated with Drift’s security team to gather additional information. Elastic has reaffirmed its commitment to transparency and the protection of customer data, and its team continues to monitor for new information related to the event. Confirmed victims of this supply chain attack include Palo Alto Networks, which confirmed the exposure of business contact information and internal sales data from its CRM platform, and Zscaler, which reported that customer information, including names, contact details, and some support case content, was accessed. 

Categories: Security Incident, Data Exposure, Incident Response 

Tags: Elastic, Security Incident, Third-Party Breach, Salesloft Drift, Unauthorized Access, Email Account, Credentials, Incident Response, Data Exposure, Supply Chain Attack