Handshake Is Not Impacted — Security Response to LiteLLM Supply Chain Compromise

How We Found Out

Our security team identified the threat via an external advisory and immediately raised it for investigation. An incident was declared within minutes, and a live coordination bridge was spun up for real-time response.

What We Did

The response was fast and methodical. Within roughly four hours, the team completed the following:

• Dependency and usage audit — Reviewed dependency graphs across all codebases to identify direct and transitive usage of the compromised package.
• Production environment verification — Confirmed our primary deployment of the library was running a pinned, unaffected version via its lock file.
• Container build audit — Investigated all container image builds, confirming all builds predated the malicious publish window.
• Data platform investigation — Confirmed usage in our data platform was pinned to an older, unaffected version.
• Codebase-wide search — Traced all mentions of the library across internal repositories and related projects.
• Endpoint security review — Engaged our EDR provider to analyze endpoint telemetry for signs of compromise.
• Credential rotation — One engineer who ran a local build that likely pulled a compromised version rotated all environment variables available to that build agent, including LLM API keys.
• Proactive version pinning — Submitted PRs to pin all affected images to known-safe versions.

Two days later, our cloud provider proactively notified us that two credentials were identified in a malicious environment. These credentials were associated with an isolated research environment — not our production infrastructure. The team immediately revoked those credentials along with all associated API keys. Investigation of the affected environment concluded with no indicators of compromise identified.

Outcome

No customer data was accessed. No customer impact. No production systems were affected. Internal credentials were rotated as a precaution. The exposure was contained because most dependencies were already pinned to older, safe versions.

Update on the Salesforce–Drift Security Incident

We wanted to share a brief update regarding the Salesforce–Drift security incident.

Salesforce shared that a known threat actor, ShinyHunters, has claimed on a public Telegram channel that they intend to post data allegedly obtained from this incident. Salesforce confirmed that this issue did not stem from a vulnerability in the core Salesforce platform, and they are actively investigating in coordination with law enforcement.

There is no new evidence that any additional Handshake systems or customer data were impacted. We are continuing to monitor the situation closely and will share further updates if new information becomes available.

Handshake Security and Privacy Team

Handshake Security Update: Salesforce Drift Incident

Protecting customer data and maintaining transparency are at the core of Handshake’s mission. We are committed to keeping customers informed about security developments that may affect their organization and want to share a detailed update regarding the recent Salesforce Drift incident.

What Happened?

On Wednesday, August 27, Handshake learned of a compromise involving a third-party application, Salesloft’s Drift, which resulted in unauthorized access and exfiltration of data stored in our Salesforce environment. Once notified, Handshake took immediate action to secure the environment, disconnecting the application from its Salesforce instance and launching a comprehensive investigation with our internal security team.

The impact of this event is confined to our Salesforce environment and did not implicate Handshake’s core products, services, systems, or infrastructure.

What Information May Be Affected?

Our investigation determined that the exposed data is limited to business contact information and specific Salesforce-related content, which includes:

• Customer (company) name
• Business address and contracting information
• The name, job title, business phone number, and company email address of the customer representative

What Did Handshake Do?

Handshake took immediate steps to secure our environment and mitigate risks:

• Disconnected and revoked Salesloft Drift’s access to Handshake’s Salesforce instance. Out of an abundance of caution, we also disconnected all integrations of Drift with other applications, such as Handshake’s core product, marketing portal, and other internal sales applications.
• Rotated relevant API access tokens to prevent further access.
• Initiated a full investigation into the scope and impact of the breach, working closely with Salesforce and external experts.
• Prioritized additional safeguards and protocol enhancements to prevent similar incidents in the future.
• Activated continuous monitoring for any potential exposure or misuse of exfiltrated data tied to the incident.

Handshake will continue to provide updates should any new developments arise.

What You Can Do

We recommend the following actions to ensure your security:

• Exercise caution with unsolicited emails, phone calls, or requests for sensitive information. Always verify the source and do not disclose passwords or payment information through unverified channels.
• All communications from Handshake will come from trusted, official channels. Our email outreach will always come from @joinhandshake.com. Handshake Support will never ask for authentication or authorization details via unsolicited outreach, phone, or SMS.
• Report any suspicious activity to security@joinhandshake.com.

Need Assistance or Have Questions?

Handshake’s Customer Success and Support teams are available to assist you through all regular support channels. You may also contact the Handshake Security team directly at security@joinhandshake.com.

Your trust is paramount to us. Thank you for your continued partnership with Handshake.

Handshake has successfully completed its PCI DSS v4.0.1 assessment as a Service Provider, using the Self-Assessment Questionnaire D (SAQ-D). The assessment and resulting Attestation of Compliance (AOC) were completed by a Qualified Security Assessor (QSA) from our independent auditor.

As part of our commitment to transparency and security, we’ve made both the AOC and our PCI Responsibility Matrix available for download to our customers through our Trust Portal. These documents outline our compliance status and clarify the shared responsibilities between Handshake and our customers when handling cardholder data.

Thank you for your continued trust and support.

The Handshake Security Team.

We are pleased to inform our customers that we have successfully issued our SOC 2 report for Handshake Education and Handshake Basic, Plus, Talent Engagement Suite and Talent Essentials system. The report was designed and implemented throughout the period March 1, 2024 to February 28, 2025, in accordance with the description criteria. This achievement underscores our ongoing commitment to maintaining the highest standards of data security and privacy. For more details, please visit our Trust Portal.

Thank you for your continued trust and support.

The Handshake Security Team.

Handshake Latest Penetration Test Results

Dear Valued Customer,

We are pleased to announce the results of our latest penetration test, conducted in the second quarter of 2025. The assessment aimed to identify potential vulnerabilities and ensure the security of our systems. A letter of attestation can be downloaded from our trust portal.

Key Findings

• No Critical or High Findings: The penetration test revealed no critical or high-risk vulnerabilities that remain unaddressed.

Commitment to Security

At Handshake, we prioritize the security of our systems and data. Regular penetration testing is a key component of our proactive security strategy. We continually monitor and enhance our security practices to protect against emerging threats.

Thank you for your trust in us!

Best regards,

Handshake Security Team.