Salesloft has temporarily disabled the Drift platform effective September 5 following a large-scale supply chain intrusion in which attackers stole customer OAuth and refresh tokens. The shutdown is intended to enable full forensic analysis and harden defenses before restoring services.
What Happened: OAuth Token Theft Across Integrations
The incident centers on Salesloft Drift, which integrates the AI-powered Drift chatbot with CRM and other enterprise SaaS platforms. While initial reports focused on the Salesforce connection, subsequent investigation indicates that any platform integrated with Drift may be affected, including Google Workspace and additional SaaS applications. Stolen OAuth and refresh tokens could allow unauthorized access to connected systems.
Timeline and Potential Impact
According to Google, the campaign ran from August 8 to August 18, 2025 and exhibited signs of broad targeting. Researchers estimate that the compromise of Salesloft Drift may have impacted more than 700 organizations. Companies that have acknowledged exposure include Zscaler, Proofpoint, Palo Alto Networks, Workiva, PagerDuty, Exclaimer, and Cloudflare.
Attack Technique: Why Stolen OAuth and Refresh Tokens Matter
OAuth tokens permit applications to access data without sharing passwords, while refresh tokens extend that access beyond the access token’s short life. Theft of these tokens allows attackers to impersonate trusted applications, read or modify CRM records and email settings, and persist in cloud environments without triggering standard authentication checks. This is a well-documented risk in SaaS-to-SaaS ecosystems; prior incidents—such as the 2022 GitHub/Heroku OAuth token compromise and the 2023 CircleCI breach—demonstrated how token theft can enable lateral movement and data exfiltration across integrated services.
Attribution and Investigation Status
Google associates the activity with threat cluster UNC6395 (also referred to as GRUB1 by Cloudflare). The precise initial access vector into Salesloft Drift has not yet been determined. Salesloft reports working with third-party incident response teams from Mandiant and Coalition to investigate, contain, and remediate the intrusion.
Customer Impact and Service Availability
Salesloft states that disabling Drift is the fastest route to a comprehensive security reassessment of the application and its supporting infrastructure. During the investigation, the Drift chatbot will be unavailable on customer sites, and Drift Fastlane and Drift Email features are paused. No timeline has been provided for full restoration.
SaaS Supply Chain Risk: Lessons for OAuth Governance
The event underscores systemic exposure in SaaS-to-SaaS architectures, where trusted integrations and broad OAuth scopes can become conduits for lateral movement. Without tight privilege segmentation, short token lifetimes, and clear visibility into dependency chains, organizations may miss unauthorized access until anomalies appear in logs or data changes surface. Similar supply chain failures in recent years have shown that third-party app trust can be a single point of failure if not continuously validated.
What Organizations Should Do Now: Practical Controls
1) Rotate tokens and keys immediately: Revoke all OAuth grants associated with Drift; reissue refresh tokens and API keys for Salesforce, Google Workspace, and other linked SaaS platforms. Enforce re-consent for all affected integrations.
2) Harden authentication and authorization: Apply conditional access, least privilege, and minimal scopes. Reduce token time-to-live (TTL) and require step-up authentication for sensitive API actions.
3) Accelerate log review: Audit OAuth events and data access from August 8–18, 2025 and beyond. Hunt for atypical ASN/geographies, changes to email rules and routing, and bulk operations within CRM or document repositories.
4) Enhance detection and automation: Enable alerts for new token issuance, anomalous API behavior, and privilege escalations. Leverage SIEM/UEBA and CASB to baseline normal SaaS usage and surface deviations.
5) Strengthen third-party risk management: Require supplier transparency on integration chains and incident response. Maintain an up-to-date inventory of OAuth grants and conduct regular token revocation tests as part of tabletop exercises.
The temporary shutdown of Salesloft Drift is a reminder that trusted app integrations can expand the blast radius of a single compromise. Organizations that proactively rotate tokens, constrain scopes, shorten token lifetimes, and continuously monitor SaaS activity will be better positioned to limit lateral movement and data exposure when—not if—supply chain threats emerge.
