Salesloft–Drift Breach: Over 700 Organizations Compromised.

 

 

Salesloft–Drift Breach: Over 700 Organizations Impacted — A SaaS Supply-Chain Wake-up Call

Summary: In August 2025, an OAuth token compromise related to the Salesloft–Drift integration allowed attackers to access numerous Salesforce instances and extract large volumes of CRM data. More than 700 organizations are reported impacted.

1. Context & Timeline

Between 8 and 18 August 2025, threat actors used stolen OAuth/refresh tokens from the Salesloft–Drift integration to access customer Salesforce environments. Activity included mass exports of contacts, support cases and other CRM data. Salesforce and vendors began revoking tokens and disabling the Drift integration in late August and early September 2025.

2. Scope & Confirmed Victims

Public reporting and vendor notices indicate over 700 organizations were potentially affected. Confirmed impacted organizations include:

  • Cloudflare
  • Palo Alto Networks
  • Zscaler
  • Tanium
  • SpyCloud
  • Proofpoint
  • Tenable
  • Whatfix
  • Workiva
  • JFrog
  • Bugcrowd
  • Esker
  • Sigma
  • Google (some Workspace accounts via Drift Email)

3. Attack Method & Data Exfiltrated

Attackers obtained OAuth tokens tied to the Salesloft–Drift integration. These tokens grant API-level access and can be used to act as authorized applications, bypassing standard user authentication. Using these tokens the adversaries:

  • Exported large volumes of CRM data (contacts, emails, roles, phone numbers, support cases).
  • Searched exported datasets for embedded secrets (API keys, AWS/Snowflake tokens, credentials).
  • Leveraged discovered secrets to attempt lateral escalation in some cases.

Example: Cloudflare reported internal API tokens among the data exfiltrated and rotated impacted tokens.

4. Why This Matters

  1. SaaS third-party risk: Integrations can become high-impact attack vectors.
  2. OAuth tokens are powerful: stolen tokens act as legitimate credentials and are often harder to detect.
  3. Cascade effect: data exfiltration can reveal further secrets enabling broader compromise.
  4. Reputational impact: several cybersecurity vendors themselves were affected, undermining trust.

5. Practical Recommendations

Response and hardening steps for affected and at-risk organizations:

  • Immediately revoke and reissue all OAuth tokens associated with the compromised integration.
  • Audit exported data for embedded secrets; rotate any exposed keys (AWS, Snowflake, API tokens).
  • Enhance API telemetry to detect mass exports or unusual API patterns.
  • Apply least privilege to integration scopes and prefer short-lived tokens.
  • Perform vendor due diligence: require security attestations and regular audits for third-party apps.
  • Prepare anti-phishing measures: stolen contact lists can fuel spear-phishing campaigns.

6. Conclusion

The Salesloft–Drift incident is a stark reminder that the security posture of any organization must include strict governance over third-party integrations. Treat OAuth tokens and connected apps as critical assets: maintain inventories, enforce rotations, limit scopes, and monitor API activity. The security of an enterprise today is only as strong as its weakest SaaS integration.

Sources & notes: Public vendor statements and threat-intelligence reporting (Google Threat Intelligence, SOC Radar, SecurityWeek, Tech coverage) informed this summary. Numbers and lists reflect public reporting and may evolve as investigations continue.
Tags
Share your love