Breach Alert: Massive Salesloft Drift OAuth Token Attack Compromises Major Organizations

Breach Alert: Massive Salesloft Drift OAuth Token Attack Compromises Major Organizations

The Breach: What Happened
Between August 8-18, 2025, threat actors targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. This supply chain attack affected hundreds of organizations worldwide, including major cybersecurity firms such as Cloudflare, Palo Alto Networks, and Zscaler.

Attack Timeline and Impact
Attackers compromised and exfiltrated data from Salesforce tenants between August 12-17, 2025, following initial reconnaissance observed on August 9, 2025. The threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case, and Opportunity records.

At least 1.98 million records were confirmed breached, while attacker claims suggest the true figure may exceed 1.5 billion, making this one of the most significant supply chain attacks of 2025.

How the Attack Worked
The attackers exploited the OAuth integration between Drift (a customer engagement platform owned by Salesloft) and Salesforce. By stealing legitimate OAuth tokens, they gained authorized access to customer Salesforce instances without triggering traditional security alarms. The breach was centered on the Drift application environment, while the separate Salesloft platform was not compromised for data exfiltration.

Once inside, the actor appeared to be actively scanning the acquired data for credentials, indicating potential for secondary attacks using stolen information.

 
Prevention Strategies: How to Avoid This Type of Breach
1. Implement IP Allowlisting for Third-Party Integrations
Why It Matters: One organization successfully blocked the attack because the compromised token connection originated from an unauthorized IP address, demonstrating that this security layer proved essential in blocking unauthorized attempts.

Action Steps:

Configure IP allowlists for all OAuth integrations
Restrict access to known, trusted IP ranges
Regularly review and update allowed IP addresses
Implement geo-blocking for regions outside your operational areas
2. Monitor OAuth Token Activity Continuously
Why It Matters: OAuth tokens provide persistent access without requiring repeated authentication, making them high-value targets for attackers.

Action Steps:

Deploy real-time monitoring for all OAuth token usage
Set alerts for unusual access patterns (time, location, volume)
Establish baselines for normal token behavior
Implement automatic token revocation for suspicious activity
Regularly audit active OAuth tokens and remove unused integrations
3. Adopt Zero-Trust Architecture for Third-Party Apps
Why It Matters: This breach demonstrates that trusted third-party applications can become attack vectors through no fault of your own security practices.

Action Steps:

Apply the principle of least privilege to all third-party integrations
Limit data access to only what's necessary
Segment sensitive data from third-party accessible systems
Require multi-factor authentication for admin-level integrations
Regularly review and minimize third-party permissions
4. Establish Third-Party Risk Management Program
Why It Matters: You're only as secure as your weakest vendor. Supply chain attacks exploit this reality.

Action Steps:

Conduct security assessments before integrating third-party applications
Require vendors to provide SOC 2 reports and security certifications
Include security requirements in vendor contracts
Establish incident notification requirements (time-to-disclosure)
Maintain an inventory of all third-party integrations with data access
Create contingency plans for vendor compromises
5. Implement Data Loss Prevention (DLP) Controls
Why It Matters: Even if attackers gain access, DLP controls can detect and prevent mass data exfiltration.

Action Steps:

Deploy DLP solutions that monitor API calls and data transfers
Set thresholds for unusual data access volumes
Implement rate limiting on API endpoints
Create alerts for bulk data exports
Use data classification to prioritize the protection of sensitive information
6. Maintain Robust Logging and SIEM Integration
Why It Matters: Early detection is critical. The attackers in this breach operated for over a week before detection.

Action Steps:

Enable comprehensive logging for all SaaS platforms
Integrate logs into Security Information and Event Management (SIEM) systems
Create detection rules for anomalous OAuth activity
Establish automated incident response workflows
Conduct regular log reviews and threat hunting exercises
7. Develop and Test Incident Response Plans
Why It Matters: When (not if) a breach occurs, rapid response minimizes damage.

Action Steps:

Create specific playbooks for OAuth token compromise scenarios
Define clear roles and responsibilities for incident response
Establish communication protocols with vendors and customers
Practice tabletop exercises for supply chain breach scenarios
Document procedures for emergency token revocation
 
Key Takeaways
The Salesloft Drift breach serves as a stark reminder that modern security must extend beyond your own infrastructure. Third-party integrations, while essential for business operations, introduce risks that require dedicated security controls and continuous monitoring.

Organizations can no longer rely solely on vendor security promises. Implementing defense-in-depth strategies, including IP allowlisting, continuous monitoring, and zero-trust principles, provides crucial layers of protection that can stop attacks even when vendor systems are compromised.

The bottom line: Trust, but verify—and always have controls in place to detect and respond when trusted systems are compromised.

 
Stay vigilant. Stay protected. Learn from each breach to strengthen your defenses.