Lessons from Salesforce/Salesloft Drift Data Breaches – Detailed Case Study

The Salesloft Drift data breaches of August 2025 stand as one of the most significant supply chain attacks in SaaS history, demonstrating how a single compromised integration can cascade into widespread organizational exposure.

This sophisticated campaign, staged by the threat actor UNC6395, exploited OAuth token vulnerabilities to access sensitive data from over 700 organizations, including major cybersecurity vendors like Cloudflare, Palo Alto Networks, and Zscaler.

The incident reveals critical weaknesses in third-party application security and offers valuable lessons for strengthening enterprise cyber resilience.

Initial Compromise: The GitHub Account Breach

The attack timeline reveals a methodical approach that began months before the public disclosure. According to Mandiant’s investigation, the threat actor UNC6395 first gained access to Salesloft’s GitHub account in March 2025, maintaining persistent access through June 2025.

This initial compromise represents a critical security failure that went undetected for three months.

During this extended access period, the attackers demonstrated sophisticated operational security by conducting reconnaissance activities across both the Salesloft and Drift application environments.

They systematically downloaded content from multiple repositories, added guest users, and established workflows that would later facilitate the mass data exfiltration campaign.

This extended time allowed the threat actors to thoroughly understand the target environment and identify the most valuable attack vectors.

The GitHub compromise highlights a fundamental challenge in modern software development: the security of code repositories and development infrastructure.

Salesloft has not disclosed how the initial GitHub access was obtained, but this gap in transparency has drawn criticism from security analysts who emphasize the importance of understanding root causes for effective remediation.

Drift Platform Exploitation and OAuth Token Theft

Following their reconnaissance phase, the attackers pivoted to exploit Drift’s Amazon Web Services (AWS) environment, where they successfully obtained OAuth tokens for Drift customers’ technology integrations.

This represents the critical supply chain vulnerability that enabled the widespread attack across hundreds of organizations.

OAuth tokens serve as digital keys that authorize applications to access user data across different platforms without requiring password authentication.

In the case of Drift, these tokens enabled the chatbot platform to integrate with customer systems like Salesforce, Google Workspace, and other business applications.

By stealing these tokens, UNC6395 effectively inherited the same trusted access privileges, allowing it to bypass traditional security controls.

The technical sophistication of this phase is evident in the attackers’ ability to access AWS-hosted OAuth credentials and extract them without detection.

This suggests a deep understanding of cloud infrastructure and token management systems, characteristic of advanced persistent threat (APT) groups.

Between August 8 and 18, 2025, UNC6395 launched a systematic data exfiltration campaign targeting Salesforce instances connected through Drift integrations. The attackers employed sophisticated techniques to maximize data theft while attempting to evade detection.

The primary objective of the campaign was credential harvesting rather than immediate data monetization. UNC6395 systematically searched through exfiltrated data for valuable secrets, including:

• Amazon Web Services (AWS) access keys (AKIA format)
• Snowflake-related access tokens
• VPN credentials and configuration information
• Generic passwords and authentication strings
• API keys and service account credentials

This focus on credential harvesting indicates a strategic approach aimed at enabling secondary attacks and lateral movement across victim environments.

The stolen credentials could provide attackers with persistent access to cloud infrastructure and business-critical systems far beyond the initial Salesforce breach.

Companies Affected

The breach impacted a staggering number of organizations, with Google Threat Intelligence Group confirming that hundreds of companies were affected.

Among the publicly disclosed victims are several prominent cybersecurity vendors, highlighting the indiscriminate nature of supply chain attacks:

• Cloudflare: Confirmed unauthorized access to Salesforce case objects between August 12-17, 2025, with 104 API tokens discovered and rotated
• Palo Alto Networks: Disclosed compromise of CRM platform containing business contact information and basic case data
• Zscaler: Acknowledged impact on Salesforce data, including customer licensing and commercial information
• Tenable: Reported exposure of customer support case information and business contact details
• Proofpoint: Confirmed as affected in multiple security advisories
• Dynatrace: Reported limited exposure of business contact information with no impact to core products
• Qualys: Confirmed limited Salesforce access with no impact to production environments
• CyberArk: Disclosed compromise of CRM data while emphasizing no customer credential exposure
• Wealthsimple: Reported more extensive impact, including customer government IDs and personal information.

Root Cause Analysis: Systemic Security Failures

The Salesloft Drift breach reveals multiple interconnected security failures that combined to create a catastrophic supply chain vulnerability:

The initial GitHub compromise suggests inadequate security controls around code repositories and development infrastructure. Key failures include:

• Insufficient access controls and monitoring for critical development accounts
• Lack of detection capabilities for unauthorized repository access
• Extended dwell time (3+ months) without detection of malicious activity

The ability of attackers to access and steal OAuth tokens from AWS environments indicates significant shortcomings in credential management:

• Inadequate protection of high-value authentication tokens
• Insufficient segmentation between development and production environments
• Lack of anomaly detection for OAuth token usage patterns

Organizations demonstrated insufficient oversight of third-party integrations:

• Over-permissive OAuth scopes granting excessive access to integrated applications
• Inadequate monitoring of third-party application behavior
• Lack of regular security assessments for connected applications

Detection and Response Gaps

The extended duration of malicious activity (10+ days) reveals detection and response deficiencies:

• Insufficient real-time monitoring of API usage patterns
• Delayed recognition of anomalous bulk data extraction activities
• Inadequate threat intelligence sharing between vendors and customers

Mitigation Strategies

Based on the lessons learned from this incident, organizations should implement comprehensive mitigation strategies addressing both immediate and long-term security improvements:

Immediate Response Actions

OAuth Token Security Hardening:

• Implement sender-constrained access tokens using mutual TLS (mTLS) or DPoP (Demonstrating Proof-of-Possession)
• Establish refresh token rotation policies for public clients
• Deploy real-time monitoring for OAuth token usage anomalies

Third-Party Integration Review:

• Conduct comprehensive audits of all connected applications and their permissions
• Implement least-privilege principles for OAuth scopes and API access
• Establish regular security assessments for critical integrations

Enhanced Monitoring and Detection:

• Deploy advanced analytics for API usage patterns and bulk data operations
• Implement real-time alerting for suspicious SOQL query activities
• Establish baseline behavioral profiles for legitimate application usage

Strategic Security Improvements

Supply Chain Risk Management:
Organizations must implement comprehensive third-party risk management programs:

• Conduct rigorous vendor security assessments before integration
• Establish continuous monitoring of vendor security postures
• Implement contractual security requirements and SLAs

Zero Trust Architecture Implementation:

• Apply zero-trust principles to all third-party integrations
• Implement continuous verification and least-privilege access controls
• Deploy network segmentation to limit lateral movement potential

Development Security Enhancement:

• Implement comprehensive security controls for code repositories
• Deploy real-time monitoring for development environment access
• Establish secure software development lifecycle (SDLC) practices

The incident demonstrates how sophisticated threat actors can exploit trusted relationships to achieve widespread impact across hundreds of organizations simultaneously.

As supply chain attacks continue to evolve in sophistication and scale, the lessons learned from this breach will be crucial for organizations seeking to protect themselves against future threats.

The key is not just to implement individual security controls, but to build comprehensive, integrated security programs that can adapt to the dynamic nature of modern cyber threats.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.