What the Salesloft Drift Breach Teaches Us About Access Token Security

Read full article here: https://www.slashid.com/blog/salesloft-drift-breach/?utm_source=nhimg

In August 2025, the Google Threat Intelligence Group (GTIG) confirmed a massive Salesforce supply-chain breach tied to Salesloft’s Drift chatbot. The threat actor UNC6395 abused stolen OAuth tokens to mass-query Salesforce data, steal embedded secrets like AWS keys and Snowflake tokens, and pivot into connected platforms.

This wasn’t a Salesforce vulnerability, it was an abuse of OAuth trust relationships. A single compromised app cascaded into hundreds of organizations, proving once again that access tokens are the weakest link in cloud identity security.

What Happened: A Supply-Chain Breach in Motion

• Initial Compromise
  Attackers stole Drift OAuth tokens after breaching Salesloft’s GitHub earlier in 2025. These long-lived, over-scoped tokens acted as silent backdoors into Salesforce orgs.
• Salesforce Data Theft
  Using valid tokens, UNC6395 ran bulk SOQL queries to exfiltrate Accounts, Cases, Users, and Opportunities. They then mined records for embedded secrets (AWS keys, Snowflake tokens, VPN URLs).
• Pivot Into Google Workspace
  Through Drift Email integration, attackers gained scoped access to connected Google accounts, expanding the blast radius beyond Salesforce.
• Covering Tracks
  Query jobs were deleted post-exfiltration, but Salesforce logs still revealed mass API activity tied to unusual User-Agents and Tor/AWS IPs.

Why It Matters: OAuth Is the New Attack Surface

Salesforce is a goldmine of sensitive data, but it’s also a secret graveyard:

• Keys and tokens pasted into case notes.
• Passwords sent in support chats.
• Snowflake and AWS credentials shared for quick fixes.

By abusing OAuth tokens, UNC6395 bypassed MFA, login monitoring, and SOC detections. Tokens don’t trigger login events — they just work. That’s what makes this attack stealthy and dangerous.

Impact: GTIG estimates ~700 organizations affected, including Cloudflare, Palo Alto Networks, and Zscaler.

Detection & Defense: What Security Teams Must Do

Immediate actions:

• Revoke all Drift OAuth tokens.
• Rotate Salesforce API keys, AWS keys, and Snowflake tokens.
• Disable unused SaaS integrations.

Long-term hardening:

• Shorten token lifespans — prefer just-in-time, short-lived credentials.
• Restrict OAuth scopes — apply least privilege to third-party apps.
• Monitor Salesforce logs — watch for:
  • Bulk queries (>10k rows)
  • Suspicious User-Agents (python-requests/2.32.4, Salesforce-Multi-Org-Fetcher/1.0)
  • Tor and AWS IP ranges

Detection query example

SELECT EventType, CreatedDate, UserId, RowsProcessed, RowsReturned, ClientIp, USER_AGENT

FROM EventLogFile

WHERE EventType = 'API'

AND RowsReturned > 10000

AND CreatedDate = LAST_N_DAYS:7

Bigger Picture: Identity Is the New Perimeter

This breach is part of a growing trend: attackers don’t hack SaaS vendors directly — they exploit the OAuth trust model between applications.

• February 2025: Bybit lost 400,000 ETH via a compromised Safe{Wallet} integration.
• August 2025: Salesforce customers compromised through Drift OAuth abuse.

Lesson learned: OAuth tokens are effectively non-human identities (NHIs). If unmanaged, they become silent super-users with the power to exfiltrate your most sensitive data.

Key Takeaways for Enterprises

• Treat OAuth tokens like privileged accounts — monitor and rotate them.
• Limit SaaS integrations to least privilege.
• Continuously scan Salesforce and SaaS platforms for embedded secrets.
• Adopt Zero Trust for NHIs: short-lived, scoped, and auditable access.

Final word - The Drift breach shows that OAuth trust can be the weakest link in modern enterprises. If you’re not monitoring tokens and SaaS integrations, you’re flying blind.