A large-scale supply-chain intrusion involving the Salesloft Drift integration platform led to the theft of OAuth and refresh tokens and subsequent unauthorized access to Salesforce data across multiple enterprises. Confirmed victims include Zscaler, Palo Alto Networks, Cloudflare, Workiva, PagerDuty, Exclaimer, and others. According to Google, the campaign was widespread and also touched Google Workspace data in environments connected via Drift.
What happened: OAuth token theft via a third‑party Salesforce integration
Salesloft Drift links the Drift AI chatbot to Salesforce and other SaaS systems (including Slack and Google Workspace) to synchronize conversations, leads, and support requests. Between 8 and 18 August 2025, attackers obtained customer tokens used by Drift to integrate with Salesforce and used those tokens to extract CRM data via API access. Google recommended that any organization using Drift with Salesforce treat associated data as compromised.
Who is affected: confirmed incidents and scope
Zscaler: limited CRM exposure and phishing advisory
Zscaler reported that unauthorized actors accessed Drift credentials as part of the supply‑chain attack and obtained limited Salesforce data. The company stated its products, services, and infrastructure were not impacted, and it has seen no misuse of the exposed information. Zscaler urged customers to heighten vigilance against phishing and social engineering.
Palo Alto Networks: sales records and support context
Palo Alto Networks confirmed it was one of hundreds of victims targeted via Salesloft Drift. The incident was contained and the application disabled in its Salesforce environment. Exposed data included CRM contact details, related account information, and internal sales records. Support tickets were limited to contact info and text comments, with no files or attachments involved.
Cloudflare: 104 API tokens revoked and support ticket hygiene
Cloudflare disclosed unauthorized access to a Salesforce instance used for customer support. The company identified 104 Cloudflare API tokens that were exfiltrated and immediately revoked; no malicious activity using those tokens was observed. Cloudflare warned that some tickets may have included sensitive information (such as access tokens). Any credentials shared via support should be treated as compromised and rotated immediately.
Additional victims and attribution
Workiva, PagerDuty, Exclaimer, Tanium, SpyCloud, Astrix Security, and Cloudinary also reported Salesforce exposure. Google analysts associated the activity with threat group UNC6395, while a representative of ShinyHunters told BleepingComputer they were responsible. Previous leaks linked to ShinyHunters and the Salesforce ecosystem have touched brands such as Adidas, Qantas, Allianz Life, LVMH (Louis Vuitton, Dior, Tiffany & Co), Cisco.com, Chanel, and Pandora.
Why this matters: OAuth compromise is a force multiplier in SaaS
Stolen OAuth and refresh tokens are dangerous because they bypass passwords and MFA, providing persistent programmatic access to APIs and data. CRM platforms like Salesforce hold rich contact profiles, engagement history, and configuration artifacts, enabling targeted phishing, business email compromise (BEC), and follow‑on intrusions into connected SaaS. Industry guidance from NIST and the Cloud Security Alliance emphasizes that token abuse and over‑privileged integrations are a leading driver of SaaS risk. Real‑world incidents—from the 2022 OAuth token theft affecting software supply‑chain services to token abuse in later cloud campaigns—illustrate how adversaries pivot through trusted apps rather than breaching core infrastructure.
Risk reduction: immediate steps for Salesforce and SaaS estates
- Revoke and rotate tokens tied to Drift and other connected apps; temporarily disable nonessential integrations while investigating.
- Audit scopes and privileges for all Salesforce Connected Apps; enforce least privilege and minimize data access via granular scopes.
- Review logs (Salesforce Event Monitoring, API Audit Trail) for anomalies from 8–18 August 2025 and thereafter, including unusual API clients, elevated query volumes, and atypical IPs or geographies.
- Harden access controls: IP allowlisting, session restrictions, MFA, short‑lived tokens, and just‑in‑time access patterns.
- Sanitize support workflows: prevent secrets in tickets and attachments with DLP; automatically redact API keys, OAuth tokens, and passwords from logs and case comments.
- Rotate any credentials shared via support and notify affected customers and partners of preventative resets.
- Continuously monitor SaaS posture with SSPM/CASB to detect risky integrations, anomalous token use, and misconfigurations across the SaaS estate.
The Salesloft Drift incident underscores that the security of a SaaS ecosystem is determined by its least‑protected integration. Organizations should reassess trust in third‑party apps, pare back scopes, automate token lifecycle management, and train staff to recognize targeted phishing originating from harvested CRM data. Proactive auditing, consistent configuration monitoring, and regular secret rotation can significantly limit blast radius and improve resilience against the next supply‑chain campaign.
