Security update regarding Salesloft Drift

On August 27, 2025, we identified a security issue involving Salesloft Drift, the application we use to provide chat functionality on our website that integrates with Salesforce CRM. We disconnected the application and began an investigation, engaging with both Salesloft and Salesforce.

Salesloft confirmed that a threat actor had compromised its systems, stole credentials, and used those credentials to run searches in customers’ Salesforce environments.

Our investigation confirmed that we had been impacted. At this time, there is no evidence that Salesloft’s security incident affected Avalara’s software or services, or customer data contained within them.

Salesforce has informed us that their logging and searching functionality does not enable recreation of the exact search results that would have been seen by the threat actor.

We have determined, though, that the actor’s searches in Salesforce provided access to only a subset of information in the application, such as business contact information, Salesforce case information, Sales Operations data, and billing line items. As of today, there is no evidence that payment or other financial data was exposed as a result of this unauthorized access. The threat actor did not have access to external files stored in Salesforce such as contracts, order forms, or other attachments.

While we advise customers not to upload credentials to us in support cases, we are, out of an abundance of caution, searching cases for this information. To date, we have not found any customer credentials included therein, and if we do, we will inform the customer directly. We encourage customers to review their own support cases to determine whether rotating any credentials would be appropriate.

Additional information about the Drift incident, and other protective measures customers can consider are available here.

We are committed to transparency and earning customer trust in all things security. 

Sincerely, 

The Avalara Team