Introduction
In late August 2025, a supply chain attack on the Drift integration from Salesloft sent shockwaves through the cybersecurity community. Major players including Cloudflare and Palo Alto Networks found themselves addressing unwanted headlines and customer concerns after attackers leveraged compromised OAuth tokens to exfiltrate sensitive data from integrated Salesforce environments. This incident highlights the growing risk that third-party SaaS integrations pose in even the most security-savvy organizations.
What Happened?
The breach originated with the compromise of OAuth authentication tokens associated with the Drift chatbot integration on the Salesloft platform. These tokens allowed attackers to impersonate trusted applications, bypass authentication safeguards, and gain direct access to Salesforce data belonging to hundreds of organizations.
Between August 8 and 18, threat actors (attributed to the group GRUB1/UNC6395) used these credentials for mass data harvesting, targeting customer support portals, business records, and any information that might prove valuable for future attacks.
The Ripple Effect: Key Organizations Impacted
Cloudflare
Cloudflare’s Salesforce instance was compromised, exposing support case data—contact details, internal communications, and potentially sensitive problem reports. While Cloudflare was quick to rotate affected tokens and notify customers, the depth of the infiltration forced all companies to treat anything shared with support during the window as potentially compromised.
Key facts:
- 104 Cloudflare-issued API tokens were among the exposed credentials.
- No file attachments were leaked, but metadata and communications were at risk.
- Customers were urged to review credentials, secrets, or sensitive details submitted with support tickets during the breach period.
Palo Alto Networks
Palo Alto Networks confirmed a breach in its Salesforce CRM, but emphasized that its core security products remained unaffected. The attackers siphoned off business contact information, internal sales records, and customer support cases—potentially including credentials and configuration data.
Key facts:
- The attack was limited to CRM data but included information useful for spear phishing or further exploits.
- Palo Alto Networks swiftly disconnected the Drift integration and contacted affected customers.
Broader Impacts and Security Takeaways
This incident joins a string of supply chain attacks exploiting SaaS-to-SaaS integrations. Other affected organizations included Zscaler and accounts at Google tied to Salesforce Drifts.
The key takeaway? OAuth tokens and similar trust relationships are high-value targets. When compromised, these tokens grant attackers widespread access, rendering traditional perimeter security and MFA controls ineffective within the bounds of the trusted integration.
What to Do Now
If your organization uses Drift, Salesloft, or other SaaS integrations with CRM tools:
- Immediately revoke and rotate all OAuth tokens used by Drift and related integrations.
- Audit access and logs for signs of unauthorized connections or large data exports.
- Treat any credentials, secrets, or PII shared via support cases during the exposure window as compromised.
- Review the blast radius of affected integrations and remove unnecessary third-party access to sensitive data.
- Re-train staff to never share sensitive credentials in support tickets or chat integrations, and always audit the security posture of connected SaaS solutions.
Conclusion
The Salesloft Drift breach is a pointed reminder that the boundaries of trust in cloud ecosystems are fluid—and that supply chain attacks can quickly ripple across the world’s most sophisticated security teams. Organizations must stay vigilant not just about their own infrastructure, but also about the web of third-party vendors and OAuth tokens sitting quietly in the background, potentially ready to be abused.
Securing integrations, reducing unnecessary privilege, and planning for breach containment are now vital elements of cybersecurity defense. In a world increasingly dependent on SaaS automation and cloud integrations, the true perimeter is wherever your data flows.
