Salesforce Integrations Compromised via Salesloft Drift Breach
PenligentAI · 8, September 2025
A major security incident tied to the Salesloft Drift AI chatbot integration has recently rocked the enterprise SaaS ecosystem, compromising the Salesforce environments of hundreds of companies.
The breach, first identified in August 2025, began when attackers obtained OAuth and refresh tokens tied to Drift integrations. These tokens were then abused to pull sensitive Salesforce data from victim organizations, leading to a large-scale leak of customer and sales information.
Expanding List of Impacted Organizations
The ripple effects have spread quickly. Multiple high-profile cybersecurity and tech firms have confirmed exposure, including:
- Cloudflare
- Palo Alto Networks
- Zscaler
- Proofpoint
- SpyCloud
- Tanium
- Tenable
- CyberArk
Attackers were able to access customer contact lists, deal and sales records, technical support case data, and—more critically—API tokens that could provide further access into business systems.
(TechRadar, The Cloudflare Blog, PagerDuty)
The Attack Playbook: OAuth Abuse at Scale
According to Google Threat Intelligence Group (GTIG), this was a highly targeted campaign. The attackers methodically used legitimate authorization flows to harvest credentials such as AWS keys and Snowflake tokens, turning the Drift–Salesforce integration into a large-scale credential collection mechanism.
While the adversaries deleted some execution jobs to cover their tracks, robust log systems still revealed unusual patterns of OAuth activity.
The breach fallout has prompted companies to sever Drift integrations and immediately rotate security credentials.
Tracing the Breach to Its Source
Investigators have traced the roots of the incident back to a March–June 2025 compromise of Salesloft’s GitHub account. During this window, attackers reportedly exfiltrated private source code repositories, altered access controls, and ultimately obtained Drift platform OAuth tokens. Those tokens opened the door to integrated Salesforce instances.
(HackRead)
Threat group UNC6395 is believed to be the primary operator. While the actor “ShinyHunters” publicly claimed responsibility, security analysts have yet to confirm a direct link.
Recommended Defensive Actions
Immediate response measures for organizations:
- Revoke and regenerate all OAuth and refresh tokens tied to Drift, Drift Email, Salesforce, or Workspace integrations.
(TechRadar)
- Conduct a full review of all third-party SaaS integrations—permissions, scopes, and logs—for suspicious OAuth usage.
(Varonis)
- Enforce least-privilege principles for all connected applications, with stricter OAuth approval flows.
- Integrate vendor risk management into security operations, including regular assessments for mission-critical integrations.
Where Penetration Testing Proves Its Worth
The Salesloft Drift breach is a blunt reminder: vulnerabilities in SaaS integrations are not an abstract risk—they’re a threat vector with real, high-impact consequences.
Penetration testing provides a structured way to uncover weaknesses in OAuth implementations, API endpoints, and access controls before threat actors do. By simulating attack chains like those used in this breach, organizations can validate defenses in real conditions.
This is where Penligent.ai offers a unique edge:
- Simulate complex OAuth attack paths
- Identify exposed or overprivileged API tokens
- Automate compliance checks and generate precise remediation guidance
- Feed real-time monitoring and continuous testing into the security lifecycle
The marriage of seasoned pentesting practice and AI-driven automation can significantly strengthen security postures—especially against supply chain and integration risks like this one.
Final Takeaways
- Check and neutralize Drift or similar OAuth-based integrations immediately.
- Purge high-risk configurations and apply least-privilege to every connected app.
- Run a pentest focused on integration and token-handling security—before attackers do.
Relevant Resources