Breach Teardown
What Caused the Salesloft Drift Breach?
In August 2025, attackers used OAuth tokens stolen from Salesloft’s Drift chatbot to walk into the Salesforce environments of hundreds of companies, including several major security vendors. No password was phished and no MFA was bypassed. The tokens belonged to a machine, and almost nobody was watching what that machine could do.
- Scale
- 700+ organizations’ Salesforce instances (per Google Threat Intelligence)
- Attack vector
- Stolen OAuth tokens from a chatbot integration
- IAM domains implicated
- Cloud, PAM, Security
- Domino controls hit
- 2 of 4
The Incident
What Happened
Between August 8 and 18, 2025, a threat actor Google tracks as UNC6395 used OAuth access and refresh tokens associated with the Salesloft Drift application to access customer Salesforce instances at scale. Google Threat Intelligence and Mandiant put the affected population at more than 700 organizations. Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, and Google itself all disclosed exposure.
The attackers ran automated SOQL queries against support case objects, exporting case text in bulk and then mining it for live credentials: AWS access keys, Snowflake tokens, VPN credentials, and passwords that customers had pasted into support tickets. Cloudflare’s own disclosure reported rotating 104 API tokens found in its exposed case data.
On August 20, Salesloft and Salesforce revoked all active Drift tokens, and Salesforce pulled the application from its AppExchange pending investigation. The root of the token theft traced back to a compromise of Salesloft’s GitHub environment months earlier.
Attack Chain
How the Attack Compounded
Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.
Salesloft’s development environment is compromised months before the main event; Drift OAuth tokens are stolen from its infrastructure.
The stolen tokens authenticate directly to hundreds of customer Salesforce instances. Tokens do not answer MFA prompts, so none are asked.
CLOUD-02
Few victims had inventoried which third-party integrations held standing API access to their CRM, or with what scopes.
CLOUD-03
Automated bulk queries export support case text across entire instances without triggering detection.
SEC-01
Case text yields plaintext AWS keys, Snowflake tokens, and passwords that customers had pasted into tickets, funding the next round of intrusions.
PAM-02
Control Mapping
The IAM Controls That Failed
Every failure point below corresponds to a control in the AXIS question bank, the same 4 controls a maturity assessment would have scored before this incident.
| Control | Domain | Capability | How it failed here |
|---|---|---|---|
| CLOUD-02 | Cloud | Non-Human Identity (NHI) Governance | A vendor’s chatbot held standing, broad-scope OAuth access to the CRM of 700 companies, and its tokens lived outside every victim’s credential controls. Non-human identity governance means knowing these integrations exist, scoping them to least privilege, and being able to revoke them fast. |
| CLOUD-03 | Cloud | SaaS Application Discovery & Shadow IT Control | Most victims learned Drift had API access to their Salesforce instance from the breach notification. SaaS-to-SaaS integrations are part of the identity attack surface and need the same discovery discipline as user accounts. |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | The prize was not CRM data. It was the AWS keys and Snowflake tokens sitting in plaintext inside support tickets. Secrets management maturity is measured everywhere secrets end up, and support cases are where they end up constantly. |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | An integration account suddenly running bulk SOQL exports across every case object is detectable machine behavior. Victims that caught it fast, like Cloudflare, limited the damage; most learned from Salesloft, not from their own telemetry. |
The Maturity Lesson
What Would Have Changed the Outcome
The Domino Effect
PAM-02, secrets management, is a domino control, and this campaign shows why the cap applies even when the initial failure is someone else’s. The attackers came in through a vendor’s stolen tokens, but what they monetized was each victim’s own secrets hygiene: credentials pasted into tickets years earlier. A program scored 0 on secrets sprawl is one supply-chain incident away from handing over its cloud keys.
The Maturity Level That Mattered
At level 2 or higher on CLOUD-02, third-party OAuth grants are inventoried with owners and scopes, reviewed on a schedule, and revocable within hours. At level 2 on PAM-02, credential scanning covers ticketing systems and case text, not just code repositories, and pasted secrets get caught and rotated.
The supply-chain lesson for assessments: score the integrations, not just the users. A tenant with flawless human MFA and fifty unreviewed machine grants is not a mature tenant.
Related Compliance Frameworks
The controls implicated in this breach carry citations in these frameworks within the AXIS bank:
Sources
About This Analysis
This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at Salesloft Drift customers. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with Salesloft Drift customers.
More From the Breach Radar
Would Your Program Have Caught This?
The 4 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.