Salesloft Drift OAuth abuse: what it means for IAM teams

TL;DR: UNC6395 abused OAuth tokens tied to Salesloft’s Drift app to query Salesforce data across 700+ organisations and harvested secrets from Cases, including AWS keys, Snowflake tokens, VPN credentials, and passwords, according to Abnormal AI. Trusted integrations can become persistent access paths that bypass gateway controls and credential-based defences until tokens are revoked.

NHIMG editorial — based on content published by Abnormal AI covering the Salesloft Drift OAuth abuse campaign: Key Insights UNC6395 abused OAuth tokens tied to Salesloft's Drift app to query Salesforce data across 700+ organizations

By the numbers:

• Over 700 companies were impacted, including some of the world’s most prominent cybersecurity vendors.
• Cloudflare later disclosed that 104 API tokens were stolen from their Salesforce Case system.

Questions worth separating out

Q: What breaks when OAuth tokens are not governed like credentials?

A: When OAuth tokens are treated as convenience links instead of governed credentials, they become persistent access paths that bypass phishing controls, password resets, and inbox inspection.

Q: Why do third-party SaaS integrations increase breach impact?

A: Third-party integrations expand breach impact because one stolen token can reach multiple tenants, objects, and downstream services.

Q: How do security teams know if SaaS integrations are overprivileged?

A: The clearest signal is an integration that still has access but no active business justification, especially when its scopes are broad, its owner is unclear, or its last use is stale.

Practitioner guidance

• Inventory all third-party OAuth grants Map every SaaS integration to its scopes, business owner, and last-used date, then remove anything that cannot justify ongoing access to Salesforce, email, or downstream cloud services.
• Review support-case handling for secret leakage Block or redact AWS keys, Snowflake tokens, VPN credentials, and passwords from support workflows, and alert on bulk searches or exports from case objects.
• Correlate SaaS, email, and identity logs Detect suspicious delegated access by joining OAuth activity, mailbox access, and admin events so revoked tokens and anomalous API use can be identified together.

What's in the full article

Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:

• The campaign timeline and investigation sequence across Salesloft, Salesforce, and Google Workspace.
• The exact query patterns used against Salesforce objects, including the Cases focus and attempted log cleanup.
• The customer impact discussion for organisations that disclosed stolen tokens and support data.
• The defensive positioning around behavioural AI, account takeover protection, and SaaS posture management.

👉 Read Abnormal AI's analysis of the Salesloft Drift OAuth abuse campaign →

Salesloft Drift OAuth abuse: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →