In August 2025, hackers breached **Salesloft’s SaaS platform** by stealing **OAuth access tokens** linked to its **Drift chatbot integration with Salesforce**. The attackers exploited these tokens—functioning as trusted non-human identities—to impersonate the integration and gain unauthorized access to **Salesforce CRM data across hundreds of organizations**. Over a **10-day campaign**, they exfiltrated sensitive records, including **stored credentials like AWS keys and Snowflake tokens** from support case attachments. The breach highlighted the risks of **unmonitored machine identities** with excessive privileges, enabling large-scale data theft without traditional human account compromises.
Source: https://thehackernews.com/expert-insights/2025/11/whos-really-using-your-saas-rise-of-non.html
TPRM report: https://www.rankiteo.com/company/salesloft
"id": "sal0932309111025",
"linkid": "salesloft",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Hundreds of organizations (via '
'Salesforce CRM access)',
'industry': 'Sales Engagement/CRM',
'name': 'Salesloft',
'type': 'SaaS Platform'},
{'industry': 'Conversational Marketing',
'name': 'Drift',
'type': 'Chatbot Integration'},
{'customers_affected': 'Hundreds of organizations',
'industry': 'Customer Relationship Management',
'name': 'Salesforce (via Drift integration)',
'type': 'CRM Platform'},
{'industry': 'News/Publishing',
'location': 'New York, USA',
'name': 'The New York Times',
'type': 'Media Organization'},
{'industry': 'Software Development',
'name': "GitHub (New York Times' repository)",
'type': 'Code Hosting Platform'},
{'industry': 'Cybersecurity/CDN',
'name': 'Cloudflare',
'type': 'Web Infrastructure/Security'},
{'industry': 'Software Development',
'name': 'Atlassian (Jira, Confluence, Bitbucket)',
'type': 'Collaboration/DevOps Tools'}],
'attack_vector': ['Compromised OAuth Tokens (Non-Human Identity)',
'Exposed GitHub API Token (Non-Human Identity)',
'Orphaned API Token (Non-Human Identity)'],
'data_breach': {'data_encryption': [None, None, None],
'data_exfiltration': ['Yes (sensitive records, credentials)',
'Yes (270 GB of data)',
'Likely (unauthorized access to '
'Atlassian data)'],
'file_types_exposed': ['CRM records, support case attachments '
'(containing credentials)',
'Source code files, internal '
'documentation',
'Jira tickets, Confluence pages, '
'Bitbucket repositories'],
'number_of_records_exposed': [None, None, None],
'personally_identifiable_information': ['Possible (via CRM '
'data)',
'Possible (in source '
'code/comments)',
'Possible (in '
'Atlassian data)'],
'sensitivity_of_data': ['High (credentials, CRM data)',
'High (source code, internal data)',
'High (Atlassian suite data)'],
'type_of_data_compromised': ['CRM data (Salesforce), AWS '
'keys, Snowflake tokens',
'Internal source code (270 GB), '
'proprietary data',
'Atlassian suite data (Jira, '
'Confluence, Bitbucket)']},
'date_detected': ['2025-08', '2024-01', '2023'],
'description': ["In August 2025, hackers breached Salesloft's SaaS platform "
'and stole OAuth access tokens for its Drift chatbot '
'integration with Salesforce. By hijacking these tokens '
'(which function as a trusted non-human identity between '
'Drift and Salesforce), the attackers were able to '
'impersonate the integration and access Salesforce CRM data '
'at hundreds of organizations. Over a ten-day campaign, they '
'used this backdoor to query and exfiltrate sensitive '
'records, even pulling stored credentials like AWS keys and '
'Snowflake tokens from support case attachments.',
'In January 2024, the New York Times suffered a breach not '
'through a phished password or zero-day exploit, but via an '
'exposed GitHub API token. Attackers discovered a token '
"credential for the Times' cloud code repository, which had "
'inadvertently been made public, and used it to access about '
'270 GB of internal source code and data. This token acted as '
'a non-human identity with broad privileges, allowing direct '
'repository access without any interactive login.',
'The fallout from the 2023 Okta breach revealed the danger of '
'orphaned and unrotated service credentials. Cloudflare, an '
'Okta customer, had rotated some 5,000 user credentials after '
'the incident. However, an overlooked non-human account (an '
'API token tied to a service account) remained active. '
'Attackers leveraged that one leftover token (with its '
'associated service credentials) to gain access to '
"Cloudflare's Atlassian suite (Jira, Confluence, Bitbucket), "
'effectively bypassing the human password reset effort.'],
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'unauthorized CRM data access',
'Reputational risk from exposure of '
'internal source code',
'Reputational impact from unauthorized '
'access to Atlassian suite'],
'conversion_rate_impact': [None, None, None],
'customer_complaints': [None, None, None],
'data_compromised': ['Salesforce CRM data (including AWS keys and '
'Snowflake tokens from support case '
'attachments)',
'270 GB of internal source code and data',
"Access to Cloudflare's Atlassian suite "
'(Jira, Confluence, Bitbucket)'],
'downtime': [None, None, None],
'financial_loss': [None, None, None],
'identity_theft_risk': ['High (AWS keys and Snowflake tokens '
'exposed)',
'Moderate (internal credentials '
'potentially exposed in source code)',
'Moderate (potential access to sensitive '
'Atlassian data)'],
'legal_liabilities': [None, None, None],
'operational_impact': ['Unauthorized access to CRM data across '
'hundreds of organizations',
'Exposure of internal source code and '
'proprietary data',
'Bypass of human password reset efforts, '
'enabling stealthy backdoor access'],
'payment_information_risk': [None, None, None],
'revenue_loss': [None, None, None],
'systems_affected': ['Salesforce CRM (via Drift integration)',
"GitHub (New York Times' cloud code "
'repository)',
'Atlassian Suite (Jira, Confluence, '
'Bitbucket)']},
'initial_access_broker': {'backdoors_established': ['Yes (via hijacked OAuth '
'tokens)',
'Yes (via exposed API '
'token)',
'Yes (via unrotated '
'service token)'],
'data_sold_on_dark_web': [None, None, None],
'entry_point': ['Compromised OAuth tokens '
'(Drift-Salesforce integration)',
'Exposed GitHub API token (public '
'repository)',
'Orphaned API token (Okta service '
'account)'],
'high_value_targets': ['Salesforce CRM data, '
'AWS/Snowflake credentials',
'Internal source code (270 '
'GB)',
'Atlassian suite (Jira, '
'Confluence, Bitbucket)'],
'reconnaissance_period': [None, None, None]},
'lessons_learned': ['Non-human identities (NHIs) such as OAuth tokens, API '
'keys, and service accounts are high-value targets for '
'attackers due to their broad privileges and lack of '
'oversight. Organizations must extend identity security '
'controls to include NHIs, not just human users.',
'Publicly exposed API tokens can act as unguarded '
'backdoors, granting attackers direct access to sensitive '
'systems without needing to bypass interactive login '
'protections. Token hygiene (e.g., avoiding public '
'exposure, enforcing least privilege) is critical.',
'Orphaned or unrotated service credentials can undermine '
'incident response efforts. Even after rotating human '
'credentials, overlooked NHIs can provide attackers with '
'persistent access. Comprehensive credential rotation '
'must include all identities—human and non-human.',
'Dynamic SaaS Security Platforms are essential for '
'discovering, monitoring, and securing NHIs. Traditional '
'identity controls are insufficient for the scale and '
'complexity of machine identities in modern SaaS '
'environments.'],
'motivation': ['Data Exfiltration', 'Data Theft', 'Unauthorized Access'],
'post_incident_analysis': {'corrective_actions': ['Adopt a **Dynamic SaaS '
'Security Platform** to '
'automate discovery, '
'monitoring, and '
'remediation of NHIs.',
'Implement **least '
'privilege enforcement** '
'for all NHIs, auditing and '
'restricting access scopes '
'to the minimum required.',
'Deploy **real-time anomaly '
'detection** for NHI '
'behavior, with automated '
'responses to suspicious '
'activity (e.g., token '
'revocation).',
'Establish **automated '
'credential rotation** for '
'NHIs, ensuring tokens and '
'keys are regularly '
'refreshed and unused '
'credentials are disabled.',
'Conduct **comprehensive '
'NHI inventories** across '
'all SaaS applications, '
'classifying identities by '
'type and risk level.',
'Integrate **NHI security '
'into IAM strategies**, '
'treating machine '
'identities with the same '
'rigor as human accounts.',
'Enforce **compensating '
'controls** for NHIs (e.g., '
'IP restrictions, session '
'monitoring) where MFA is '
'not applicable.',
'Educate security and '
'DevOps teams on the risks '
'of NHIs and the importance '
'of token hygiene (e.g., '
'avoiding hardcoding, '
'public exposure).'],
'root_causes': ['Lack of visibility and oversight '
'for non-human identities (OAuth '
'tokens) with excessive '
'privileges.',
'Public exposure of a GitHub API '
'token due to misconfiguration or '
'lack of secret management.',
'Incomplete incident response: '
'human credentials were rotated, '
'but non-human credentials (API '
'tokens) were overlooked, leaving '
'a backdoor open.',
'Overprivileged NHIs: integrations '
'and tokens had broader access '
'than necessary, increasing the '
'blast radius of compromises.']},
'ransomware': {'data_encryption': [None, None, None],
'data_exfiltration': ['Yes', 'Yes', 'Likely'],
'ransom_demanded': [None, None, None],
'ransom_paid': [None, None, None],
'ransomware_strain': [None, None, None]},
'recommendations': ['Implement **unified visibility** of all non-human '
'identities (OAuth apps, API keys, service accounts, '
'bots) across SaaS applications using automated discovery '
'tools.',
'Enforce **least privilege** for NHIs by auditing and '
'restricting overly permissive access scopes. Ensure '
'integrations and tokens can only access the data they '
'explicitly require.',
'Deploy **continuous anomaly monitoring** to detect '
'deviations in NHI behavior (e.g., unusual access times, '
'data volumes, or locations). Baseline normal activity '
'and flag anomalies in real time.',
'Automate **credential rotation and expiration** for all '
'NHIs. Use platforms that detect stale tokens, rotate '
'secrets regularly, and disable unused credentials.',
'Apply **compensating controls** for NHIs where MFA is '
'not feasible (e.g., IP restrictions, scoped access, '
'session monitoring).',
'Maintain a **real-time inventory** of third-party '
'integrations, especially those connected via user '
'consent (OAuth), and verify their legitimacy and '
'security posture.',
'Disable **orphaned or ghost NHIs** (credentials not tied '
'to active workflows or users), as these are prime '
'targets for attackers.',
'Leverage **Dynamic SaaS Security Platforms** (e.g., '
'Reco) to automate detection, response, and remediation '
'for NHI-related risks, including token revocation and '
'integration quarantine.',
'Conduct **regular audits** of NHI permissions and usage '
'context. Classify NHIs by type (e.g., integrations, AI '
'assistants, RPA bots) to tailor risk controls '
'appropriately.',
'Educate teams on the risks of NHIs and integrate NHI '
'security into broader **identity and access management '
'(IAM)** strategies.'],
'references': [{'source': "Reco Blog: 'The Hidden Risk of Non-Human "
"Identities in SaaS'"},
{'source': 'Author: Gal Nakash (CPO and Cofounder, Reco)'}],
'regulatory_compliance': {'fines_imposed': [None, None, None],
'legal_actions': [None, None, None],
'regulations_violated': [None, None, None],
'regulatory_notifications': [None, None, None]},
'response': {'adaptive_behavioral_waf': [None, None, None],
'communication_strategy': [None, None, None],
'containment_measures': [None,
'Token revocation (post-incident)',
'Token revocation (post-discovery of '
'compromise)'],
'enhanced_monitoring': [None, None, None],
'incident_response_plan_activated': [None,
None,
'Partial (5,000 user '
'credentials rotated, but '
'NHI token overlooked)'],
'law_enforcement_notified': [None, None, None],
'network_segmentation': [None, None, None],
'on_demand_scrubbing_services': [None, None, None],
'recovery_measures': [None, None, None],
'remediation_measures': [None, None, None],
'third_party_assistance': [None, None, None]},
'title': ['Salesloft/Drift OAuth Token Breach (2025)',
'New York Times GitHub Token Leak (2024)',
'Cloudflare Atlassian Compromise (2023)'],
'type': ['Data Breach (OAuth Token Compromise)',
'Data Breach (API Token Leak)',
'Unauthorized Access (Service Account Token Compromise)'],
'vulnerability_exploited': ['Overprivileged OAuth Tokens',
'Publicly Exposed API Token',
'Unrotated Service Account Token']}