Salesloft OAuth Token Breach: How Drift AI Agent Compromised Salesforce Customers

Read full article here: https://www.token.security/blog/salesloft-oauth-breach-via-drift-ai-chat-agent-exposes-salesforce-customer-data/?utm_source=nhimg

A sophisticated campaign exposed the growing risks posed by Non-Human Identities (NHIs), OAuth tokens, API keys, service accounts, AI agents, and more, that silently connect our SaaS and cloud ecosystems.

Attackers breached Salesloft’s Drift AI Chat integration and stole OAuth tokens that granted it access to Salesforce. With those NHIs in hand, they moved freely through Salesforce customer environments, bypassing human logins, Multi-Factor Authentication (MFA), and traditional identity defenses.

The breach, attributed to threat actor UNC6395, compromised the Salesforce instances of hundreds of organizations, harvesting both customer data and embedded cloud credentials. It’s a vivid reminder: the weakest link isn’t always a user password—it’s often a machine identity trusted too much and monitored too little.

The Attack: When an NHI Becomes a Backdoor

Here’s how the Salesloft Drift breach unfolded:

1. NHI Compromise – OAuth access and refresh tokens tied to the Drift AI Chat app were stolen. These tokens acted as powerful NHIs with pre-approved privileges in Salesforce.
2. Trusted Access – With valid tokens, attackers authenticated directly as the Drift integration. No user accounts, no MFA. Salesforce recognized the NHI as legitimate.
3. Reconnaissance – Using Salesforce’s query APIs, adversaries mapped data structures and identified valuable records.
4. Data Exfiltration – Over 10 days, attackers exported vast amounts of account, opportunity, and case data—disguised as “normal” app activity.
5. Credential Harvesting – Within Salesforce records, they discovered AWS keys, Snowflake tokens, and other embedded secrets—seeding new breaches across the cloud.
6. Evasion – Logs were deleted, queries obfuscated, and access patterns blended with trusted app behavior.

The lesson is clear: an OAuth token is not “just a key”—it is an identity. If compromised, it’s as dangerous as a stolen admin account.

Business Impact: The Cascading Risk of NHI Compromise

This breach highlights the multi-layered risks when NHIs are left ungoverned:

• Data Confidentiality – Salesforce customer records exposed across hundreds of organizations.
• Credential Propagation – Secrets inside Salesforce (AWS, Snowflake, more) provided attackers with additional footholds.
• Blind Spots – Security teams often focus on humans, leaving NHIs like OAuth tokens largely unmonitored.
• Supply Chain Amplification – One SaaS app (Drift) cascaded into breaches of hundreds of Salesforce tenants.
• Operational Disruption – Revoking tokens, re-scoping permissions, and rebuilding integrations consumed critical time and resources.

The Solution: Securing NHIs with Token Security

At Token Security, we believe breaches like Salesloft–Drift prove why Non-Human Identities must be treated as first-class citizens of security. Our platform provides:

1. Deep Visibility into NHIs – Continuous discovery of every OAuth token, API key, and service account across your SaaS and cloud stack. Drift’s Salesforce access scope would have been flagged instantly.
2. Contextual Awareness – Mapping how NHIs connect apps, data, and services, with behavioral baselines to catch anomalies like abnormal Salesforce data exports.
3. Identity Threat Detection & Response (ITDR) – Real-time detection of compromised NHIs, with automatic revocation or quarantine before large-scale exfiltration.
4. Intelligent Remediation – Orchestrated, NHI-specific response: mass-invalidate compromised tokens, rotate secrets, and re-scope permissions safely and quickly.

Why Security Leaders Must Act

The Salesloft–Drift breach is not a one-off. It’s proof that attackers are increasingly targeting tokens, service accounts, and integrations—because they offer persistent, trusted, high-privilege access with little oversight.

Organizations that fail to bring NHIs into their identity security programs will remain vulnerable to cascading SaaS and cloud compromises.

Final Takeaway

If your Salesforce org has more Connected Apps than you can count, now’s the time to tighten the controls.

 Join the NHI Foundation Level Training Course to learn how to:

• Govern OAuth tokens and Connected Apps with least privilege.
• Build a lifecycle strategy for every NHI.
• Detect and respond to NHI misuse with ITDR best practices.
• Prevent breaches like Salesloft–Drift before they spread across your SaaS and cloud stack.

Because securing the identities you can’t see is the only way to stop the breaches you can’t afford.