This month, the world has witnessed one of the largest ever SaaS supply-chain breaches in history. Yes, we are talking about the Salesloft-Drift breach.
By compromising the integration between Drift (acquired by Salesloft) and Salesforce, malicious threat actors gained a golden ticket: OAuth tokens and refresh tokens that unlocked sensitive data across hundreds of organisations. Large tech firms, cybersecurity majors - the companies we assume are most secure - were all hit by this mega breach with a massive blast radius.
Palo Alto Networks, Zscaler, Cloudflare, Tenable, Proofpoint, and dozens more all confirmed being caught in the attack. With over 700 organisations affected, the Salesloft-Drift breach is a sobering reminder of how one trusted integration can cripple even the most secure enterprises.
This attack is complex and convoluted. But in this blog, we try to simplify the details as much as possible and break down the events for you. The idea is never to pin blame or vilify the victims but to see what lessons we can learn as a community from this crippling breach.
Topics Covered in this Comprehensive:
1. A Brief Timeline of the Salesloft-Drift Attack
2. Attack Details
3. Impact of the Massive Breach
4. Key Learnings from the Attack
The Salesloft-Drift attack has been attributed to the threat group UNC6395, though ShinyHunters also attempted to claim responsibility without substantiated proof.
At its core, the breach revolved around the theft of OAuth and refresh tokens from the Drift–Salesforce integration. This apparently granted attackers direct access to Salesforce environments across hundreds of organisations.
Unlike ransomware gangs that openly encrypt systems and demand payouts, this campaign focused on quiet, large-scale data harvesting. This made detection more difficult. It also raised questions about secondary exploitation through phishing and credential abuse. What this means is that no ransom demands have been publicly disclosed. This suggests attackers may monetise stolen data over time via underground markets, phishing, or corporate espionage.
OAuth is a standard enabling users to authorise connections between applications or services. This allows platforms like Drift to integrate with others, such as Salesforce, facilitating interactions with website visitors.
The malicious campaign remained active between August 8 and August 18, 2025, before Salesforce and Salesloft stepped in to disable all Drift integrations on August 20. Customer notifications followed soon after, between August 26 and 29, as the true scale of the compromise became clearer.
Salesloft has now (on September 8, 2025) said the breach was made possible because of an earlier compromise of its GitHub account in March. This allowed hackers to steal authentication tokens that were later used in the latest mass-hack. Source: TechCrunch
Quoting an investigation by Google's Mandiant incident response unit, Salesloft has now reported that unnamed hackers accessed their GitHub account from March to June, downloading content and establishing workflows. This breach led to unauthorised access to Salesloft's Drift platform via Amazon Web Services, where customer OAuth tokens were stolen. The six-month detection delay has raised fresh concerns about the company’s security posture.
Because it highlights how a single compromised SaaS integration can create a devastating supply-chain blast radius. By abusing one weak link, attackers were able to expose the data of hundreds of enterprises simultaneously, inflicting not just operational headaches but also significant reputational damage across industries.
From a technical standpoint, the attackers relied on the abuse of OAuth and refresh tokens, issuing SOQL queries inside Salesforce to quietly export CRM data and embedded secrets. The business impact was massive: operations at over 700 organisations were disrupted, and some of the biggest names in cybersecurity were forced to revoke tokens, disable integrations, and scramble to contain the damage.
For customers, the risks were equally serious. Beyond the exposure of basic CRM records like contacts, opportunities, and cases, attackers uncovered highly sensitive information such as AWS keys, Snowflake tokens, and even plaintext passwords hidden in support cases — the sort of data that can fuel secondary breaches.
The response was swift. On August 20, Salesforce and Salesloft took decisive action by disabling all Drift integrations globally, immediately cutting off attacker access. Organisations followed up with global token revocation, credential rotation, forensic audits, and customer notifications to manage the fallout. These steps demonstrate both the gravity of the breach and the importance of having well-practised cyber incident response protocols when SaaS supply chains are exploited.
By now, it’s pretty clear that the impact of the Salesloft-Drift attack has been staggering to say the least. It has left an enormous mark on the global business and cybersecurity community. More than 700 organisations have been affected, making it one of the most widespread SaaS supply-chain incidents to date.
Among those caught in the blast radius are some of the industry’s biggest names — Zscaler, Palo Alto Networks, Cloudflare, Tenable, Proofpoint, SpyCloud, and Tanium. They’ve all confirmed they have been impacted.
Beyond operational headaches, the reputational toll has also been severe. For vendors whose core business is safeguarding data, being publicly tied to a breach carries significant trust and credibility risks.
For customers, the consequences are equally troubling. As no ransom demands have been confirmed, the data stolen carries long-term risks. Exfiltrated Salesforce CRM records include contact details, opportunity records, and support cases. This information is pure gold for phishing campaigns and business email compromise.
The discovery of sensitive secrets hidden in CRM fields, including AWS access keys, Snowflake tokens, and even plaintext passwords can provide attackers with direct avenues into cloud platforms and other critical systems.
For many clients, the unsettling reality is that their data may now be circulating in underground markets, creating a complete erosion of trust.
A breach of this scale is important because it contains several key lessons for the cybersecurity industry. Understanding and implementing these learnings is critical for all businesses regardless of industry and scale.
Let’s take a look at the most resounding lessons from this major hack.
1. OAuth tokens are the new crown jewels - The Salesloft-Drift incident makes it abundantly clear that OAuth tokens are the new crown jewels of the cloud era. Much like passwords, these tokens grant powerful, persistent access to business-critical environments.
This incident must act as a wake-up call for businesses globally to treat OAuth tokens with the same degree of vigilance. They must be rotated regularly. Their usage has to be tightly restricted and continuously monitored for unusual activity. A single exposed token can open the door to vast amounts of sensitive data, as this breach has demonstrated.
2. Least privilege is non-negotiable - Too often, integrations are given broad or permanent permissions they don’t actually need. By limiting API scopes and enforcing IP restrictions for third-party access, businesses can significantly shrink the blast radius if an integration is compromised. The smaller the permission set, the harder it is for attackers to move laterally or exfiltrate large volumes of information.
3. Secrets don’t belong in CRM - The attack also highlighted a surprisingly common but dangerous practice: storing secrets in CRM fields. Passwords, API keys, and access tokens should never be embedded in case notes or support records. Once attackers accessed Salesforce data, those secrets became low-hanging fruit that could be reused to breach other platforms like AWS or Snowflake. Organisations must enforce strict data handling policies to prevent sensitive credentials from ending up in the wrong place.
4. Third-party risk is real - Integrations like Drift are powerful productivity boosters. But as we have now seen they also create new avenues of attack. Businesses should thoroughly vet their third-party apps. They should be monitored continuously under the assumption that they can be compromised at any time. The vetting process should go beyond initial security assessments. Robust security protocols, regular audits, and immediate response plans for any detected vulnerabilities or breaches within these integrated systems is paramount.
5. Cyber tabletop exercises save time. In a real-world incident, confusion and hesitation can be just as damaging as the attack itself. By rehearsing “integration breach” cyber drill scenarios in advance, you can ensure that security teams, IT admins, and business leaders know exactly how to respond the moment suspicious activity is detected.
These exercises not only test technical readiness — such as how to revoke compromised tokens or isolate affected applications — but also stress-test decision-making, communication, and escalation paths. In the case of a supply-chain compromise, where hundreds of systems may be at risk, shaving hours or even minutes off containment efforts can make the difference between a controlled disruption and a catastrophic data loss.
The Salesloft-Drift attack is more than just another breach headline. It’s a case study for how trusted integrations can become systemic risk multipliers. By compromising a single token, attackers gained a systemic foothold, transforming what should be a symbiotic relationship into a conduit for widespread risk.
For businesses, the lesson is clear: SaaS supply chains must be defended as rigorously as core infrastructure. The era of "set it and forget it" integrations is over. Businesses must adopt a proactive and continuous approach to managing their SaaS supply chain.