The Great SaaS Breach of 2025: How a Single OAuth Token Compromised 700+ Organizations
A new report from Grip Security reveals alarming trends in SaaS security, analyzing 23,000 SaaS environments and uncovering critical vulnerabilities. Every company examined operates AI-embedded SaaS applications, with a 490% year-over-year surge in public SaaS attacks. 80% of incidents involve PII or customer data, but the most concerning finding is the average organization’s exposure to 140 AI-enabled SaaS environments each a potential vector for cascading breaches.
The Salesloft Drift incident, dubbed the "Great SaaS Breach of 2025," exemplifies this risk. UNC6395 attackers compromised Salesloft’s GitHub repositories, then pivoted to Drift’s AWS environment, stealing OAuth and refresh tokens used by customers to connect the Drift Chatbot to Salesforce, Slack, and other apps. With a legitimate OAuth token, the attackers impersonated Drift, breaching Salesforce installations across 700+ organizations, including Cloudflare, Palo Alto Networks, Zscaler, and CyberArk.
The attack exploited shadow AI AI embedded in SaaS apps without formal oversight where businesses unknowingly adopt agentic AI for efficiency, often without auditing security implications. OAuth tokens, treated as routine access credentials, became the weak link. Once stolen (often via infostealers), they granted attackers unhindered access, enabling them to cascade through connected systems via IdentityMesh a unified authentication flaw that links multiple AI environments.
The report warns that 2026 could see even larger breaches, as autonomous workflows outpace security controls. While regulations are emerging, they remain fragmented, conflicting, and unevenly enforced. The solution, according to Grip, lies in dynamic governance: replacing static approvals with continuous oversight, discovery, and risk-based controls to treat AI as a managed third-party risk.
The incident underscores that AI is not a future threat but a present one, reshaping business risk and without proactive measures, the blast radius of a single breach will only grow.
Zscaler cybersecurity rating report: https://www.rankiteo.com/company/zscaler
Palo Alto Networks cybersecurity rating report: https://www.rankiteo.com/company/palo-alto-networks
Drift, a Salesloft company cybersecurity rating report: https://www.rankiteo.com/company/drift
Salesloft cybersecurity rating report: https://www.rankiteo.com/company/salesloft
"id": "ZSCPALDRISAL1773852939",
"linkid": "zscaler, palo-alto-networks, drift, salesloft",
"type": "Breach",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology',
'name': 'Salesloft',
'type': 'SaaS Provider'},
{'customers_affected': '700+',
'industry': 'Technology',
'name': 'Drift',
'type': 'SaaS Provider'},
{'industry': 'Cybersecurity',
'name': 'Cloudflare',
'type': 'Organization'},
{'industry': 'Cybersecurity',
'name': 'Palo Alto Networks',
'type': 'Organization'},
{'industry': 'Cybersecurity',
'name': 'Zscaler',
'type': 'Organization'},
{'industry': 'Cybersecurity',
'name': 'CyberArk',
'type': 'Organization'}],
'attack_vector': 'OAuth Token Theft',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'PII, Customer Data, OAuth '
'Tokens, Refresh Tokens'},
'date_publicly_disclosed': '2025',
'description': 'A new report from Grip Security reveals alarming trends in '
'SaaS security, analyzing 23,000 SaaS environments and '
'uncovering critical vulnerabilities. The Salesloft Drift '
"incident, dubbed the 'Great SaaS Breach of 2025,' involved "
'UNC6395 attackers compromising Salesloft’s GitHub '
'repositories, then pivoting to Drift’s AWS environment to '
'steal OAuth and refresh tokens. These tokens were used to '
'breach Salesforce installations across 700+ organizations, '
'including Cloudflare, Palo Alto Networks, Zscaler, and '
'CyberArk, by impersonating the Drift Chatbot.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'PII, Customer Data, OAuth Tokens, Refresh '
'Tokens',
'identity_theft_risk': 'High',
'operational_impact': 'Cascading breaches through connected '
'systems',
'systems_affected': 'Salesforce, Slack, Drift Chatbot, AWS '
'Environments'},
'initial_access_broker': {'entry_point': 'Salesloft’s GitHub repositories',
'high_value_targets': 'Drift’s AWS environment, '
'OAuth/Refresh Tokens'},
'lessons_learned': 'The incident underscores the risks of shadow AI and '
'IdentityMesh, where AI-embedded SaaS applications lack '
'formal oversight. OAuth tokens, treated as routine access '
'credentials, can become critical weak links if stolen. '
'The attack highlights the need for dynamic governance, '
'continuous oversight, and risk-based controls to manage '
'AI as a third-party risk.',
'post_incident_analysis': {'corrective_actions': 'Dynamic governance, '
'continuous oversight, '
'risk-based controls for '
'AI-enabled SaaS '
'environments',
'root_causes': 'Shadow AI, lack of formal '
'oversight for AI-embedded SaaS '
'applications, weak OAuth token '
'security, IdentityMesh '
'vulnerabilities'},
'recommendations': 'Replace static approvals with dynamic governance, '
'implement continuous oversight, and adopt risk-based '
'controls for AI-enabled SaaS environments. Treat AI as a '
'managed third-party risk to mitigate cascading breaches.',
'references': [{'source': 'Grip Security Report'}],
'threat_actor': 'UNC6395',
'title': 'The Great SaaS Breach of 2025: How a Single OAuth Token Compromised '
'700+ Organizations',
'type': 'Data Breach',
'vulnerability_exploited': 'Shadow AI, IdentityMesh, Infostealers'}