The Salesloft-Drift OAuth incident involved attackers stealing OAuth tokens from Salesloft’s development platform, exploiting them to access customer data across integrated applications like Salesforce and Google Workspace. The breach, executed by the threat group UNC6395, leveraged voice phishing (vishing) to trick administrators into authorizing malicious apps, bypassing multi-factor authentication (MFA). Over 700 organizations were impacted as the compromised tokens enabled attackers to exfiltrate sensitive customer information, leading to widespread revocation of Drift integrations. The incident exposed systemic risks in SaaS supply chains, where trusted third-party integrations became attack vectors, enabling potential data theft, cloud credential abuse, outages, or ransomware. Beyond immediate data exposure, the breach triggered forensic investigations, regulatory fines, lawsuits, reputational damage, and operational disruptions, highlighting the cascading risks of N-th degree vendor dependencies in modern cybersecurity ecosystems.
Source: https://beinsure.com/news/salesloft-drift-oauth-breach-exposes-saas/
TPRM report: https://www.rankiteo.com/company/drift
"id": "dri1593115102125",
"linkid": "drift",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '700+ organizations',
'industry': 'Sales Engagement/CRM',
'name': 'Salesloft',
'type': 'SaaS Provider'},
{'industry': 'Conversational Marketing',
'name': 'Drift',
'type': 'SaaS Provider'},
{'industry': 'Varied (Any industry using '
'Drift/Salesforce/Google Workspace)',
'location': 'Global',
'name': 'Multiple Organizations Using Drift '
'Integrations',
'type': ['B2B Companies', 'Enterprises']}],
'attack_vector': ['OAuth Token Theft',
'Social Engineering (Voice Phishing)',
'Trusted Integration Exploitation'],
'customer_advisories': ['Disable Drift integrations temporarily',
'Rotate credentials for connected apps'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (Credentials, PII, Business '
'Data)',
'type_of_data_compromised': ['Customer Data',
'Cloud Credentials (AWS, '
'Snowflake)',
'PII (via Connected Apps)']},
'description': 'Attackers stole OAuth tokens from Salesloft’s development '
'platform, which were then used to access customer data in '
'connected applications like Salesforce and Google Workspace. '
'The breach exploited trust in SaaS integrations, leading to '
'widespread credential revocations and temporary disabling of '
'Drift integrations. Roughly 700 organizations were affected, '
'with attackers (UNC6395) using a mix of technical '
'exploitation and social engineering (e.g., voice phishing) to '
'compromise tokens. The incident highlighted systemic risks in '
'third-party integrations and N-th degree vendor '
'vulnerabilities, exposing gaps in cyber insurance '
'underwriting and risk assessment.',
'impact': {'brand_reputation_impact': ['Loss of Trust in SaaS Integrations',
'Reputational Harm for '
'Salesloft/Drift'],
'data_compromised': ['Customer Data',
'Cloud Credentials (AWS, Snowflake)',
'Salesforce/Google Workspace Data'],
'identity_theft_risk': ['High (Stolen Cloud Credentials)',
'PII Exposure via Connected Apps'],
'legal_liabilities': ['Potential Lawsuits', 'Regulatory Scrutiny'],
'operational_impact': ['Temporary Disabling of Drift Integrations',
'Credential Revocations',
'Forensic Investigations'],
'systems_affected': ['Salesforce',
'Google Workspace',
'Drift Integrations',
'Connected SaaS Platforms']},
'initial_access_broker': {'backdoors_established': ['Malicious Apps Connected '
'to Salesforce Portals'],
'data_sold_on_dark_web': 'Likely (based on threat '
'actor profile)',
'entry_point': 'Stolen OAuth Tokens (via Social '
'Engineering/Phishing)',
'high_value_targets': ['Cloud Credentials (AWS, '
'Snowflake)',
'Salesforce/Google Workspace '
'Data']},
'investigation_status': 'Ongoing (Blast radius and full impact still being '
'assessed)',
'lessons_learned': ['SaaS integrations and OAuth permissions must be '
'centrally managed and audited.',
'Third-party access risks extend beyond first-tier '
'vendors (N-th degree risk).',
'Traditional cyber risk assessments fail to account for '
'hidden dependencies in supply chains.',
'Over-reliance on seamless integrations can create '
'systemic vulnerabilities.',
'Insurers must adapt underwriting to include SaaS '
'integration risks.'],
'motivation': ['Data Exfiltration',
'Credential Harvesting',
'Potential Financial Gain (e.g., Dark Web Data Sales)'],
'post_incident_analysis': {'corrective_actions': ['Token lifecycle management '
'reforms.',
'Enhanced '
'logging/monitoring for '
'SaaS integrations.',
'Stricter vendor access '
'controls.',
'Employee training on '
'phishing/social '
'engineering.',
'Cross-platform dependency '
'mapping for risk '
'assessment.'],
'root_causes': ['Inadequate protection of OAuth '
'tokens in development '
'environments.',
'Lack of multi-layered '
'authentication for high-risk '
'integrations.',
'Over-permissive third-party app '
'permissions.',
'Failure to monitor for anomalous '
'token usage.',
'Social engineering '
'vulnerabilities (e.g., voice '
'phishing success).']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement stricter OAuth token management (e.g., shorter '
'lifetimes, least-privilege access).',
'Conduct regular audits of third-party integrations and '
'permissions.',
'Enhance MFA for high-risk workflows (e.g., admin '
'approvals for new integrations).',
'Monitor for anomalous token usage across connected '
'platforms.',
'Educate employees on social engineering tactics (e.g., '
'voice phishing).',
'Insurers should require policyholders to disclose SaaS '
'integration ecosystems.'],
'references': [{'source': 'KYND Analysis'},
{'source': 'How AI is Transforming Cyber Insurance'},
{'source': 'Impact on Cyber Insurance Claims & Underwriting'}],
'regulatory_compliance': {'legal_actions': ['Potential Lawsuits',
'Regulatory Investigations']},
'response': {'communication_strategy': ['Customer Advisories',
'Stakeholder Notifications'],
'containment_measures': ['Revoking Compromised OAuth Tokens',
'Disabling Drift Integrations'],
'enhanced_monitoring': ['Monitoring for Unauthorized Token '
'Usage'],
'incident_response_plan_activated': True,
'remediation_measures': ['Token Rotation',
'Enhanced Authentication for '
'Integrations']},
'stakeholder_advisories': ['Urgent: Review and revoke unauthorized OAuth '
'tokens',
'Assess exposure via Drift/Salesforce '
'integrations'],
'threat_actor': 'UNC6395',
'title': 'Salesloft-Drift OAuth Token Breach',
'type': ['Data Breach', 'Credential Theft', 'Supply Chain Attack'],
'vulnerability_exploited': ['Weak OAuth Token Security',
'Lack of Multi-Layered Authentication for '
'Integrations',
'Over-Permissive Third-Party Access']}