Breach cyber

Drift

Sep 10, 2025 2 min read
Drift

The breach involving **Drift** (post-acquisition by Salesloft) exposed a critical vulnerability in third/fourth-party risk management. Attackers exploited **legacy OAuth tokens**—some potentially dormant for **18 months**—to infiltrate **Salesforce instances** and a **limited number of Google Workspace accounts** via Drift’s email integration. The compromise stemmed from inherited tokens, likely tied to Drift’s pre-acquisition integrations, highlighting gaps in M&A due diligence. While no large-scale data exfiltration was confirmed, the incident underscored systemic risks in **supply-chain attacks**, where dormant credentials in acquired entities become attack vectors. The breach did not involve direct customer data theft but raised concerns over **unauthorized access to enterprise systems**, reputational harm, and potential downstream financial fraud risks. Public disclosures did not confirm data leaks, but the exploitation of **authentication mechanisms** (OAuth) signals a sophisticated, multi-stage intrusion with implications for vendor trust and regulatory compliance.

Source: https://www.csoonline.com/article/4053891/what-the-salesloft-drift-breaches-reveal-about-4th-party-risk.html

TPRM report: https://www.rankiteo.com/company/drift

"id": "dri5832158091025",
"linkid": "drift",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'industry': 'Sales Engagement Platform',
                        'name': 'Salesloft',
                        'type': 'Company (Acquirer)'},
                       {'industry': 'Conversational Marketing/Sales',
                        'name': 'Drift',
                        'type': 'Company (Acquired by Salesloft in 2024)'},
                       {'industry': 'CRM',
                        'name': 'Salesforce (Customers of Salesloft/Drift)',
                        'type': 'Third-Party Service'},
                       {'customers_affected': 'Limited number of accounts',
                        'industry': 'Productivity/Email',
                        'name': 'Google Workspace (Customers of '
                                'Salesloft/Drift)',
                        'type': 'Third-Party Service'}],
 'attack_vector': ['Legacy OAuth Tokens',
                   'Fourth-Party Risk (Acquired Company)',
                   'M&A Inherited Vulnerabilities'],
 'data_breach': {'type_of_data_compromised': ['Salesforce Instance Data',
                                              'Google Workspace Email/Account '
                                              'Data']},
 'description': 'The recent SalesLoft Drift breaches revealed that '
                'organizations were compromised through their vendor’s '
                "acquired company (a 'fourth-party') via legacy OAuth tokens "
                'dormant for 18 months. Attackers abused OAuth tokens '
                'associated with the Drift application to access Salesforce '
                'instances and a limited number of Google Workspace accounts '
                'through Drift’s email integration. The incident highlights '
                'risks in M&A scenarios, particularly with inherited legacy '
                'tokens.',
 'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in M&A Due '
                                        'Diligence',
                                        'Concerns Over Third/Fourth-Party Risk '
                                        'Management'],
            'data_compromised': ['Salesforce Instance Data',
                                 'Limited Google Workspace Account Data'],
            'systems_affected': ['Salesforce (via Drift Connected App)',
                                 'Google Workspace (via Drift Email '
                                 'Integration)']},
 'initial_access_broker': {'entry_point': ['Legacy OAuth Tokens '
                                           '(Drift-Salesforce/Google Workspace '
                                           'Integrations)'],
                           'high_value_targets': ['Salesforce Instances',
                                                  'Google Workspace Accounts']},
 'investigation_status': 'Ongoing (public disclosures pending confirmation on '
                         'token provenance)',
 'lessons_learned': ['Legacy OAuth tokens from acquired companies pose '
                     'significant risks if not revoked or rotated '
                     'post-acquisition.',
                     'Fourth-party risks (vendor’s acquired companies) must be '
                     'explicitly addressed in third-party risk management '
                     'frameworks.',
                     'M&A due diligence must include a thorough audit of '
                     'inherited authentication mechanisms (e.g., OAuth tokens, '
                     'API keys).',
                     'Dormant credentials (e.g., 18-month-old tokens) are '
                     'prime targets for attackers and should be proactively '
                     'invalidated.'],
 'post_incident_analysis': {'root_causes': ['Failure to invalidate dormant '
                                            'OAuth tokens post-acquisition.',
                                            'Inadequate visibility into '
                                            'fourth-party (acquired company) '
                                            'risks.',
                                            'Over-reliance on inherited '
                                            'authentication mechanisms without '
                                            'reassessment.']},
 'recommendations': ['Implement automated token rotation policies, especially '
                     'post-acquisition.',
                     'Expand third-party risk assessments to include '
                     "'nth-party' risks (e.g., acquired subsidiaries of "
                     'vendors).',
                     'Conduct comprehensive authentication audits during M&A '
                     'integration, focusing on legacy systems.',
                     'Monitor for anomalous OAuth token usage, particularly '
                     'for integrations with high-value platforms (e.g., '
                     'Salesforce, Google Workspace).',
                     'Enforce least-privilege access for third-party '
                     'integrations and regularly review permissions.'],
 'title': 'SalesLoft Drift Breach via Legacy OAuth Tokens',
 'type': ['Unauthorized Access', 'Third-Party Breach', 'OAuth Token Abuse'],
 'vulnerability_exploited': ['Dormant OAuth Tokens (18 months old)',
                             'Improper Token Management Post-Acquisition']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.