Back To All Updates

Back To All Updates

September 8, 2025

Vulnerability

Salesloft / Drift Breach – Attack Analysis

Salesloft / Drift Breach – Attack Analysis

Overview

In August 2025, Salesloft (owner of Drift) disclosed a breach that had been active for several months. The attackers moved step by step across systems: starting in GitHub, pivoting into AWS, and from there harvesting OAuth tokens that provided direct access into Salesforce environments.

With these tokens, they extracted business-critical data and even uncovered additional secrets like AWS keys, Snowflake tokens, and passwords. Several global companies, including Cloudflare, Zscaler, and Palo Alto Networks, confirmed they were affected.

The case highlights a growing risk area: OAuth tokens and third-party integrations that are often overlooked but provide deep access to SaaS platforms.

Attack Flow in Detail

GitHub Access

  • Attackers gained access to Drift’s GitHub organization.

  • Entry method not yet confirmed (possible credential theft, weak controls, or misconfigurations).

Pivot to AWS

  • From GitHub, attackers reached AWS infrastructure.

  • Found storage containing Salesforce OAuth and refresh tokens.

Token Abuse

  • Tokens were exfiltrated.

  • Attackers used them to log directly into Salesforce orgs of Drift customers.

Salesforce Compromise

Executed SOQL queries against key objects:

  • Cases (support data)

  • Contacts (customer records)

  • Opportunities (sales pipeline)

Extracted secrets stored in records:

  • AWS keys

  • Snowflake tokens

  • Passwords

Covering Tracks

  • Deleted jobs in Salesforce to reduce visibility.

  • Activity continued for months without detection.

Containment

  • Mid-August 2025: Salesforce and Salesloft revoked all Drift tokens.

  • Drift removed from the Salesforce AppExchange.


Key Observations

  1. Token storage created exposure – Sensitive OAuth tokens were stored in accessible locations.

  2. Monitoring gaps – Months of activity went undetected, despite abnormal queries and deletions.

  3. Third-party integrations expand risk – Once tokens were compromised, attackers had trusted access into customer environments.

  4. No advanced exploit required – The breach relied on weak operational practices, not zero-day vulnerabilities.

Recommendations

  • Review all OAuth integrations with Salesforce and other SaaS platforms.

  • Rotate and expire tokens regularly, avoid long-lived secrets.

  • Enforce least-privilege scopes for third-party apps.

  • Monitor for unusual SOQL queries, large data exports, or unexpected API calls.

  • Audit CRM records and support systems for embedded secrets (API keys, passwords).

  • Train developers and admins on the security risks of storing tokens and secrets in code or tickets.

Closing Notes

This incident demonstrates how overlooked details — like token management and integration hygiene — can lead to large-scale breaches. OAuth tokens and connected applications must be treated with the same level of protection as passwords or private keys.

The Drift case shows that attackers don’t need new exploits when common gaps are left unaddressed. Every organization using Salesforce or similar SaaS tools should re-evaluate its approach to integrations, secrets management, and monitoring.

Resources:

https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Update

https://thehackernews.com/2025/08/salesloft-oauth-breach-via-drift-ai.html