When Trust Becomes a Liability: The Salesloft Drift Breach and the Hidden Risk of SaaS Integrations

Gary Perkins, Chief Information Security Officer

In early August 2025, a sophisticated supply-chain cyberattack targeting Salesloft’s Drift application came to light. Salesloft, a sales engagement platform widely used to streamline communication and customer relationship management, disclosed that attackers had gained unauthorized access to OAuth credentials linked to its Drift integration with Salesforce. What initially looked like a narrow incident quickly grew into something far larger, touching hundreds of organizations and raising questions about how secure third-party SaaS integrations really are.

OAuth Tokens: A Backdoor in Plain Sight

The attackers focused on OAuth tokens. For readers unfamiliar, an OAuth token is essentially a digital pass that allows one system (like Drift) to access another (like Salesforce) without re-entering a password each time. These tokens are highly convenient, but if compromised, they give attackers the same level of access as the trusted integration. In this case, the stolen tokens opened a backdoor into Salesforce environments across multiple companies, granting visibility into sensitive customer records, support cases, and even stored credentials.

This was not a brute-force intrusion, the attackers persuaded or tricked systems into granting long-lived access, then quietly exploited that trust. Once inside Salesforce, they executed SOQL (Salesforce Object Query Language) commands, which are normally used by administrators to query records, but here were abused to harvest data and credentials. The attackers even deleted background jobs to cover their tracks.

Beyond Drift: A Campaign of Opportunity

Although the Drift integration was the most visible vector, it soon became clear that this was part of a broader campaign. ShinyHunters claimed responsibility, a threat actor group known for using social engineering and token theft at scale, though the real attribution may be more nuanced. Their campaign reportedly reached into Salesforce customer accounts at organizations like Google, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, and luxury houses under LVMH including Louis Vuitton, Dior, and Tiffany & Co.

This matters because it underscores a fundamental truth: an average employee or contractor may have access to more sensitive information than leadership realizes. A single successful social engineering attack, whether through Drift or another connector, can open doors to customer data, internal case records, and even secrets embedded in attachments or notes. The real danger is not just the breach itself, but how far attackers can pivot once inside.

The Risk You Don’t See

Cloudflare, Palo Alto Networks, and Zscaler have all confirmed data exposure tied to the Drift compromise. While each reported only limited loss, such as case notes without attachments, the incident revealed how much sensitive context lives in systems we assume are controlled. Customer correspondence often contains logs, API keys, or passwords that should never leave secure storage, yet in practice, they do.

Let’s assume you can trust Salesforce, cloud providers, and vendors. Even then, once you connect a third-party SaaS app, your attack surface expands. Each integration that requests OAuth or API permissions is a potential backdoor if not carefully monitored. The same logic applies to other platforms (Slack, Zendesk, email gateways, AI assistants) and any of them can become a weak link.

Practical Steps to Reduce Risk

1. Revoke and rotate credentials quickly. Any OAuth token or API key tied to Drift or similar integrations should be treated as compromised and replaced.
2. Audit third-party permissions. Review the scope of every SaaS integration and minimize unnecessary access.
3. Monitor SaaS activity. Track API queries, exports, and sign-ins from unusual geographies or automation frameworks. Recommend leveraging a Managed XDR service to ensure visibility across these layers.
4. Search for sensitive data. Scan CRM records and support cases for embedded secrets like API keys or passwords, and migrate them to secure vaults.
5. Harden vendor governance. Hold vendors to higher security standards, with recurring reviews and evidence of strong controls.
6. Educate employees. Many of these breaches begin with social engineering. Continuous training and awareness are critical to reducing human-enabled risks.

Closing Thoughts

The Salesloft Drift breach should not be seen as an isolated event. It illustrates how the web of SaaS applications organizations rely on every day can also become their undoing. Attackers don’t need to breach Salesforce, Google, or Cisco directly; they only need to compromise a trusted connection or an unsuspecting employee to gain access.

For leaders, the lesson is straightforward but sobering: security doesn’t stop at your own systems. It extends to every app, connector, and person with a credential that touches your data. Until companies approach integrations with the same rigor they apply to their core infrastructure, these breaches will keep repeating… because the attackers already know where the weak points are.