BreachWatch™: Salesloft / Drift Incident
October 22, 2025
Snapshot
- Incident type: OAuth/refresh-token abuse via the Salesloft–Drift connected app (targeting Salesforce orgs). Source: Salesforce
- Operational impact: Unauthorized API access to CRM data across many orgs; vendors temporarily disabled integrations and rotated credentials. Source: Salesforce
- Data exposure risk: Support case bodies and CRM records (where teams sometimes paste tokens/logs) plus other secrets discovered and rotated by victims. Source: The Cloudflare Blog
- Underlying control gap: Connected-app governance for SaaS-to-SaaS OAuth - tokens can bypass MFA and inherit over-broad scopes. Source: Google Cloud
- Why it matters: OAuth tokens are the new supplychain blast radius. This wasn’t a “Salesforce breach”; a third-party connection was the path, making continuous vendor/integration oversight the real perimeter. Source: Salesforce
BreachWatch™: Salesloft / Drift incident
In August 2025, attackers abused OAuth and refresh tokens tied to Salesloft’s Drift integration to hop into hundreds of organizations’ Salesforce environments. It wasn’t a flaw in Salesforce itself; the compromise arrived through a trusted thirdparty app, then rode normal API pathways to pull data - often the text of support cases that can contain secrets. Google’s Threat Intelligence Group tracks the actor as UNC6395 and places active exfiltration between August 8–18, 2025. Salesforce and Salesloft revoked tokens and removed Drift from AppExchange while investigations proceeded. (Google Cloud)
If you want a single, concrete example of the modern SaaS supply-chain problem, this is it. OAuth tokens can bypass MFA, live far longer than sessions, and inherit broad scopes from over-permissive connected apps - exactly why the Drift-to-Salesforce pathway became a high-value target. (Cloud Security Alliance)
What actually happened (and why it matters)
- Entry & method. Investigations describe token theft linked to the Drift application, with the adversary using standard Salesforce APIs (including Bulk API 2.0) and then deleting jobs to reduce detection. Several firms reported exposure limited to Salesforce support case content - names, contact details, case subjects/bodies (where customers sometimes pasted tokens or logs). (Google Cloud)
- Scope. Victims include security leaders like Cloudflare, Z-scaler and Palo Alto Networks - proof that even mature programs are vulnerable when a single integration goes sideways. (The Cloudflare Blog)
- Signals to hunt. Recommended hunts include the Drift Connected App logins, UniqueQuery events, suspicious Bulk API jobs, and user-agent strings such as Salesforce-CLI/1.0, Salesforce-Multi-Org-Fetcher/1.0, and python-requests/2.32.4, plus IPs observed by responders. (Unit 42)
- This was an ecosystem failure, not “a Salesforce breach.” Salesforce’s guidance underscored that the core platform wasn’t exploited; the path was a compromised app connection leveraging legitimate tokens. (Salesforce)
For a running, vendor-verified tally of organizations that have disclosed impact, see the community tracker at driftbreach.com, which links to the companies’ official statements. (Salesloft Drift Tracker)
What Perimeter customers saw - inside the platform
Perimeter is built for exactly these supply-chain moments. When Drift disclosures began to land, customers didn’t assemble spreadsheets or chase vendors one by one. They worked the incident inside Perimeter:
- One-click triage. The platform automatically highlighted vendors with potential exposure; our risk team pretagged them so customers could filter the list instantly.
- Ready-to-send impact check. A short, prebuilt questionnaire confirmed whether Drift or connected OAuth scopes were present, and captured specifics fast.
- Action to closure. Perimeter outlined remediation steps (revoke tokens, rotate secrets discovered in case text, audit Bulk API use, etc.) and tracked closure in the same workspace.
- Verified, not just attested. Customers saw validated signals (real integration and attack-surface facts) correlated with each vendor’s claims - not just vendor promises.
Result: a real-time view across the supply chain, with validated signals funneling straight into decisioning and remediation - painless VRM in practice.
Why this fits Perimeter’s design: Our Verify module continuously measures vendors’ external footprint and correlates those signals with their responses, surfacing inconsistencies and change over time. That “zero-trust for vendor claims” is a core pillar of Perimeter’s end-to-end lifecycle approach for regulated industries and lean security teams.
Where each Perimeter module fits in this incident
- Monitor – flags news, breach chatter, and material changes tied to vendor ecosystems so you know which relationships could be affected today.
- Verify – continuously validates vendor posture using real-time attack-surface intelligence and correlates it against vendor responses to catch drift or omissions.
- Extract – parses vendor docs and notifications with citations to exact passages, accelerating review without sacrificing accuracy.
- Assess – centralizes due diligence and risk scoring so Drift-trelated exposure becomes a first-class risk signal across your program.
- Share – standardizes outbound info requests and document exchange so your “impact check” reaches vendors quickly and responses stay auditable.
- Respond – orchestrates RFPs and remediation tasks with clear owners and SLAs; every token rotation and app disconnect is tracked to closure.
Perimeter’s promise is simple: end-to-end, low-effort, real-time VRM that validates vendor claims rather than trusting them by default - exactly what incidents like Drift demand. (Customers regularly achieve rapid time-to-value as programs come online.)
Immediate response checklist (Drift/Salesloft + Salesforce)
Use this to confirm impact and move from detection to closure fast. (These steps align with Google/Mandiant guidance and responder writeups.)
Investigate
- Inventory OAuth: Confirm whether Drift, Drift Email, or Salesloft connected apps were present in any Salesforce orgs; enumerate scopes. (Google Cloud)
- Hunt in logs (Aug 8 onward):
- Check Login History and Event Monitoring for the Drift connection user; review UniqueQuery and Bulk API events.
- Look for user agents Salesforce-CLI/1.0, Salesforce-Multi-Org-Fetcher/1.0, python-requests/2.32.4 and related IOCs/IPs. (Unit 42)
- Assume case-text exposure: Search exported case data for secrets and identifiers (AKIA, Snowflake tokens, passwords) and rotate anything found. Cloudflare’s postmortem shows why this matters. (The Cloudflare Blog)
Contain & Remediate
4. Revoke & rotate: Invalidate OAuth/refresh tokens for Drift/Drift Email, reset client secrets, and rotate credentials in downstream services. (Salesforce)
5. Prune scopes: Remove unused apps; enforce least-privilege scopes for any re-enabled integrations. (Cloud Security Alliance)
6. Tighten access: Consider IP allowlists for API access, session lifetimes, and connected-app policies; enable high-fidelity alerts for Bulk API jobs and anomalous SOQL. (Unit 42)
Harden for next time
7. Treat OAuth as tier-one risk: Build governance for SaaS-to-SaaS tokens and scopes; pair continuous posture management with identity-centric detection. (Cloud Security Alliance)
8. Validate vendor posture continuously: Don’t rely solely on questionnaires; correlate vendors’ claims with real, external signals. (This is precisely what Perimeter’s Verify does.)
Tip: Salesforce reiterates the core platform wasn’t exploited; the weak link was a third-party app. That distinction matters when you brief your board and regulators. (Salesforce)
How Perimeter operationalizes this playbook
- Start with a clean list: Open your Perimeter workspace and click the pretagged view “Potentially impacted by Salesloft/Drift.” Now you have a scoped list of vendors to work.
- Dispatch the impact check: Use the ready-to-send questionnaire to confirm any Drift/Drift Email usage, token scopes, Bulk API activity, and whether secrets appeared in case text.
- Drive remediation to done: Apply the recommended actions template (revoke/rotate; confirm log review; remove stale apps; attest scope minimization). Track owners, due dates, and evidence inside Perimeter.
- Answer, with evidence: When the CFO or a regulator asks “Which vendors were affected, what did they expose, and what changed?” you’ll show a real-time view of status, plus validated signals - not just vendor assurances.
A note on the “extortion noise”
In early October, a group styling itself as “Scattered Lapsus$ Hunters” claimed possession of large volumes of Salesforce-related records and sought payment. Salesforce reportedly told customers it would not pay ransom and that its core systems weren’t breached. Regardless of attribution politics, token-abuse campaigns turn integration sprawl into leverage for extortion - another reason to govern OAuth aggressively. (The Star)
If you’re leading VRM in a regulated industry
Perimeter’s brand promise is Painless VRM for teams that need real-time visibility without adding headcount: end-to-end lifecycle coverage, from onboarding and assessments to continuous monitoring and verified remediation. That focus - regulated industries, small security teams, speed with accuracy - is the demand constellation we serve.
Bottom line: OAuth and SaaS-to-SaaS connections are your modern perimeter. During the Drift incident, Perimeter customers moved from uncertainty to validated action in a single workspace - Monitor the blast radius, Verify signals against vendor claims, Extract the facts quickly, Assess risk in context, Share impact checks, and Respond to closure. That’s how you turn a sprawling supply chain scare into a controlled, auditable process - and keep moving.
FAQ
1. What happened in the Salesloft / Drift incident?
A third-party integration was compromised; attackers used stolen OAuth/refresh tokens tied to the Salesloft–Drift app to access a subset of Salesforce orgs via normal APIs. Salesforce/Salesloft revoked tokens and removed the app from AppExchange.
2. What data was affected?
Varies by org, but several disclosures highlight CRM records - especially support case text, where teams may paste secrets (tokens, logs). Impacted companies rotated exposed credentials as a precaution.
3. Which Perimeter modules address this risk?
Monitor and Verify for continuous signals and correlation; Share to send the impact check; Extract to parse notices; Assess to score and record; Respond to orchestrate and evidence remediation end-to-end.
4. How do I confirm whether my vendors were affected?
Start with a one-click filtered list in Perimeter (pre-tagged by our risk team), dispatch the impact check, and track revoke/rotate actions to closure - inside the same workspace.
Sources and further reading:
- Google Threat Intelligence on the OAuthtoken campaign targeting Drift/Salesforce. (Google Cloud)
- Salesforce guidance: third-party app connection, token invalidation, and AppExchange removal. (Salesforce)
- Cloudflare’s disclosure and detailed log forensics (casetext exposure, token rotation). (The Cloudflare Blog)
- Cloud Security Alliance: Why OAuth tokens bypass MFA and how to defend with SSPM + ITDR. (Cloud Security Alliance)
- Community tracker of organizations that have disclosed impact. (Salesloft Drift Tracker)
Painless VRM
Need help? Perimeter helps you manage third party risk with real time validation - not just vendor promises - and with time to value measured in days, not quarters.
You May Also Like
Pandemic-Fueled Breaches: A Look Back on 2020
