Breach Teardown

Cross-industry (SaaS supply chain)
2025

What Caused the Salesloft Drift Breach?

In August 2025, attackers used OAuth tokens stolen from Salesloft’s Drift chatbot to walk into the Salesforce environments of hundreds of companies, including several major security vendors. No password was phished and no MFA was bypassed. The tokens belonged to a machine, and almost nobody was watching what that machine could do.

Scale
700+ organizations’ Salesforce instances (per Google Threat Intelligence)
Attack vector
Stolen OAuth tokens from a chatbot integration
IAM domains implicated
Cloud, PAM, Security
Domino controls hit
2 of 4

The Incident

What Happened

Between August 8 and 18, 2025, a threat actor Google tracks as UNC6395 used OAuth access and refresh tokens associated with the Salesloft Drift application to access customer Salesforce instances at scale. Google Threat Intelligence and Mandiant put the affected population at more than 700 organizations. Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, and Google itself all disclosed exposure.

The attackers ran automated SOQL queries against support case objects, exporting case text in bulk and then mining it for live credentials: AWS access keys, Snowflake tokens, VPN credentials, and passwords that customers had pasted into support tickets. Cloudflare’s own disclosure reported rotating 104 API tokens found in its exposed case data.

On August 20, Salesloft and Salesforce revoked all active Drift tokens, and Salesforce pulled the application from its AppExchange pending investigation. The root of the token theft traced back to a compromise of Salesloft’s GitHub environment months earlier.

Attack Chain

How the Attack Compounded

Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.

  1. Salesloft’s development environment is compromised months before the main event; Drift OAuth tokens are stolen from its infrastructure.

  2. The stolen tokens authenticate directly to hundreds of customer Salesforce instances. Tokens do not answer MFA prompts, so none are asked.

    CLOUD-02

  3. Few victims had inventoried which third-party integrations held standing API access to their CRM, or with what scopes.

    CLOUD-03

  4. Automated bulk queries export support case text across entire instances without triggering detection.

    SEC-01

  5. Case text yields plaintext AWS keys, Snowflake tokens, and passwords that customers had pasted into tickets, funding the next round of intrusions.

    PAM-02

Control Mapping

The IAM Controls That Failed

Every failure point below corresponds to a control in the AXIS question bank, the same 4 controls a maturity assessment would have scored before this incident.

AXIS controls that failed in the Salesloft Drift customers breach, with domain, capability, and how each failed
ControlDomainCapabilityHow it failed here
CLOUD-02CloudNon-Human Identity (NHI) GovernanceA vendor’s chatbot held standing, broad-scope OAuth access to the CRM of 700 companies, and its tokens lived outside every victim’s credential controls. Non-human identity governance means knowing these integrations exist, scoping them to least privilege, and being able to revoke them fast.
CLOUD-03CloudSaaS Application Discovery & Shadow IT ControlMost victims learned Drift had API access to their Salesforce instance from the breach notification. SaaS-to-SaaS integrations are part of the identity attack surface and need the same discovery discipline as user accounts.
PAM-02
Domino
PAMSecrets Management (Non-Human & Application Credentials)The prize was not CRM data. It was the AWS keys and Snowflake tokens sitting in plaintext inside support tickets. Secrets management maturity is measured everywhere secrets end up, and support cases are where they end up constantly.
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)An integration account suddenly running bulk SOQL exports across every case object is detectable machine behavior. Victims that caught it fast, like Cloudflare, limited the damage; most learned from Salesloft, not from their own telemetry.

The Maturity Lesson

What Would Have Changed the Outcome

The Domino Effect

PAM-02, secrets management, is a domino control, and this campaign shows why the cap applies even when the initial failure is someone else’s. The attackers came in through a vendor’s stolen tokens, but what they monetized was each victim’s own secrets hygiene: credentials pasted into tickets years earlier. A program scored 0 on secrets sprawl is one supply-chain incident away from handing over its cloud keys.

The Maturity Level That Mattered

At level 2 or higher on CLOUD-02, third-party OAuth grants are inventoried with owners and scopes, reviewed on a schedule, and revocable within hours. At level 2 on PAM-02, credential scanning covers ticketing systems and case text, not just code repositories, and pasted secrets get caught and rotated.

The supply-chain lesson for assessments: score the integrations, not just the users. A tenant with flawless human MFA and fifty unreviewed machine grants is not a mature tenant.

Related Compliance Frameworks

The controls implicated in this breach carry citations in these frameworks within the AXIS bank:

Sources

About This Analysis

This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at Salesloft Drift customers. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with Salesloft Drift customers.

Would Your Program Have Caught This?

The 4 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.