Salesforce Breach via Drift: How Attackers Abused OAuth at Scale

Read full article here: https://entro.security/blog/abusing-oauth-at-scale-how-drifts-breach-opened-salesforce-to-attackers/?utm_source=nhimg

Salesforce customers woke up to another supply-chain nightmare this week: a data theft campaign exploiting OAuth tokens from the Drift AI chat integration provided by Salesloft.

What Happened

Google Threat Intelligence confirmed that attackers compromised Drift, harvested Salesforce OAuth tokens at scale, and used scripted tools to systematically exfiltrate customer records. Victims included enterprises across finance, HR, and SaaS—from Rubrik to Workday—showing how one compromised integration can become a systemic entry point.

How It Unfolded

1. Initial Compromise – Attackers exploited Drift to mint OAuth tokens. These acted like skeleton keys into Salesforce, granting broad API access without touching MFA.
   2. Pivot – Each token functioned as a trusted super-user. To Salesforce, Drift looked legitimate, already approved by admins.
   3. Automation – Tokens were fed into Python scrapers that pulled data in bulk, with the speed and scale of a bot farm. GTIG linked this to UNC6395, a threat group known for automated data theft.
   4. Fallout – Salesforce disabled Drift integrations on August 20. Salesloft revoked tokens and pulled the app offline. Still, hundreds of tenants faced exposure, with customer and HR data already exfiltrated.

Why It Matters for NHI Security

This wasn’t a Salesforce bug. It was a governance failure: a compromised non-human identity (NHI) became a global breach multiplier.

• Drift’s OAuth tokens lived far too long.
• Customers had little visibility into which apps were connected or what data they touched.
• Secrets stored in Salesforce (think AWS or GCP credentials) could allow direct pivots into cloud infrastructure.

Entro’s Take

This breach is a textbook NHI lesson:

Discovery – Every OAuth app, service account, or API key must be inventoried and owned.
Context – Map permissions and access scopes; an “AI chatbot” can silently become your riskiest insider.
Detection & Response – Rotate secrets, monitor anomalies (e.g., mass API pulls), and trigger real-time remediations.

The bottom line

OAuth apps are NHIs. If they’re not secured and governed, they become invisible super-users and your next breach headline.