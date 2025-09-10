There is hardly any modern business operation that can do without Software-as-a-Service (SaaS) platforms. From CRM systems that hold customer histories to collaboration tools that connect entire workforces, these platforms have become the backbone of enterprise activity. Their central role, however, also makes them increasingly attractive to threat actors.
This was the case when Google’s Threat Intelligence Group (GTIG) and Mandiant disclosed an attack against Salesforce instances connected through the Salesloft Drift integration in August 2025. The campaign, attributed to a group identified as UNC6395, ran quietly for more than a week, collecting customer records and access tokens.
Here is a look at how the breach unfolded, the integration challenges that live within SaaS platforms, and what steps enterprises can take to reduce their exposure.
Key Takeaways
- Attackers exploited Salesloft Drift OAuth tokens to access Salesforce and other platforms.
- SaaS platforms remain attractive targets because of the huge volume of critical data they store.
- If not revoked promptly, compromised tokens can give attackers persistent access across multiple services.
- Organizations must audit integrations, rotate credentials, and enforce least-privilege access.
- Improved oversight of user permissions and integration activity is essential to limit potential breaches.
How Salesforce Drift Opened the Door
GTIG reported that between August 8 and 18, 2025, attackers used compromised OAuth tokens from Drift to move into Salesforce customer environments. Drift is an AI-powered third-party application commonly used to support sales and communication workflows, but in this case, its connection to Salesforce created the opening. OAuth tokens gave UNC6395 the same level of access as legitimate users and let them operate without setting off obvious alarms.
Drift owner, Salesloft, acknowledged the breach on August 20, saying:
“Today, we detected a security issue in the Drift application. Out of an abundance of caution, we have proactively revoked connections between Drift and Salesforce, and we are asking Drift admins to re-authenticate their Salesforce connection.”
Although previous advisories on the incident limited the breach to AWS keys and Snowflake tokens, the latest updates from Google say the bad actors also breached tokens for Drift Email.
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the ‘Drift Email’ integration,” the update read.
Google went on to ask Salesloft Drift customers “to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Further reports from Krebs on Security reveal that the compromise extended to tokens linked to hundreds of services, including Microsoft Azure, Amazon S3, Slack, and OpenAI.
As of September 2, 2025, Palo Alto Networks announced that it has joined the list of companies affected by the incident.
SaaS Integration Risk Never Goes Away
The Salesforce incident reminds us once again why threat actors are always on the lookout for any security flaws in SaaS systems. Records found in these systems can easily be monetized directly or repurposed in follow-on attacks. And unauthorized access to one means access to many more integrated platforms.
Even with this risk, many organizations do fully understand the complexities associated with third-party integrations or even default SaaS platform configurations.
Last year, Wing Security (Wing) analyzed 493 companies and found a wide range of threats within the SaaS landscape. The analysis showed how 97% of organizations faced exposure to threats from compromised SaaS supply chain applications.
The story is similar when one takes a look at a Valence report, which linked the SaaS-related campaign that affected about 2.6 million users via Google Chrome extensions to poor monitoring of OAuth tokens and third-party integrations.
These incidents have become recurring enough to suggest that many SaaS platforms ship with permissive, easy-to-configure default settings that prioritize usability over security. Many organizations often assume these defaults are safe or expect their cloud provider to manage security, but in practice, default configurations can leave broad access permissions, relaxed authorization, and exposed network settings.
Action to Take to Protect Your Business Now
The lessons from the Drift incident extend far beyond Salesforce. They underline the adjustments enterprises need to make in order to contain this class of threat. Some of the right actions to take are summed up below:
- Investigate for compromise: All third-party integrations should be thoroughly reviewed by teams, with logs being checked for bulk queries or anomalies. Every unusual OAuth token should be treated as a suspect until proven otherwise.
- Revoke and rotate credentials: Compromised tokens, API keys, and service passwords must be revoked and replaced quickly. This cuts off access and prevents attackers from maintaining persistence.
- Harden access controls: Organizations should enforce stricter login policies, apply least-privilege principles, and set boundaries for API use, especially when third parties are involved.
Analysts like Joshua Wright of Counter Hack also point to the need for better visibility. In a recent article, he described how attackers are increasingly taking advantage of “authorization sprawl,” where permissions accumulate unnoticed across services.
To protect SaaS applications from accumulating authorization sprawl, Wright advised the following:
- Perform cross-platform privilege mapping.
- Require detailed logging capabilities from CSPs during contract negotiations.
- Expand in-browser monitoring and threat detection.
The Bottom Line
The campaign linked to Salesloft Drift has shown how attackers find their way into valuable data housed in the most reliable SaaS platforms. One major way they do this is by exploiting the trust built into integrations and identity systems.
Organizations need to harden their cloud access controls and set up a continuous security monitoring system when securing SaaS applications. This will ensure their attack surfaces are minimized, and even if issues arise, they can detect them early enough.
FAQs
Many risks can be associated with SaaS security, but they mostly include unauthorized access via compromised credentials or OAuth tokens, data breaches through third-party integrations, insider threats, and inadequate visibility into user and app permissions.
In most instances, customer contact information, internal case data, financial records, credentials, and business intelligence stored within CRM and SaaS environments can be at risk during a breach.
Traditional defenses focus on network perimeters and often cannot detect insider-like activities involving legitimate OAuth tokens or API keys used by attackers to access SaaS environments silently.
Enterprises are advised to audit their third-party apps, revoke and rotate compromised credentials, enforce least privilege access, and monitor API usage and user behavior continuously.
