June 23, 2026 By Tim Rice Breach Analysis

Ask a security team to name its third-party risks and you will hear about the CRM, the cloud provider, the payroll system. You are less likely to hear about the marketing chatbot that was bolted onto the website two years ago. The Salesloft Drift campaign of August 2025 is the story of how exactly that kind of overlooked integration became the path into hundreds of companies' most sensitive customer data, and why the OAuth token quietly linking two of your SaaS apps may be the riskiest thing in your portfolio.

No password was phished. No firewall was breached. The attackers simply stole the digital keys that one trusted application had been issued to talk to another, and walked in through the front door of every connection those keys unlocked.

What Happened

Drift is an AI-powered chat and conversational marketing platform owned by Salesloft. Many companies connect Drift to their Salesforce environment so that chatbot conversations flow into the CRM. That connection is authorized with OAuth tokens, long-lived credentials that let Drift access Salesforce data on the customer's behalf without a human logging in each time.

Google Threat Intelligence Group, part of Mandiant, reported that a threat actor it tracks as UNC6395 obtained the OAuth and refresh tokens tied to the Salesloft Drift application and used them to access the Salesforce instances of Drift's customers. With valid tokens in hand, the attacker ran automated queries against Salesforce APIs and bulk-exported data, using custom user-agent strings to blend in with normal traffic. Because the access used legitimate tokens, it did not trigger a password prompt or a multi-factor challenge. It looked like Drift doing its job.

The origin of the tokens, disclosed as the investigation matured, is the part that should worry any TPRM practitioner. The chain did not begin at Salesforce. Investigators traced it to a compromise of Salesloft's GitHub account, with attacker access running from roughly March through June 2025, from which the actor pivoted into Drift's cloud environment and stole the OAuth tokens issued for customers' integrations. In other words, a source-code account at one vendor led to stolen keys at its subsidiary, which led to data theft at the vendor's customers. That is a supply chain three links deep, and the victims had a direct relationship with none of the failure points.

Stage What the attacker did
March to June 2025 Compromised Salesloft's GitHub account and conducted reconnaissance
Pivot Moved into Drift's cloud environment and stole OAuth tokens for customer integrations
Aug 8 to 18, 2025 Used the tokens to bulk-export data from connected Salesforce instances
Post-exfiltration Searched stolen data for secrets: AWS keys, Snowflake tokens, passwords, and login URLs
Aug 20, 2025 Salesloft and Salesforce revoked all Drift tokens and disabled the integration

The Real Prize Was Secrets, Not Sales Records

Google's analysts assessed that the primary goal was credential harvesting. After exporting Salesforce data, the actor combed through it for secrets: AWS access keys, Snowflake-related tokens, passwords, and other credentials. The richest hunting ground was support-case text, the free-form fields where customers and support agents routinely paste API keys, connection strings, and other secrets to troubleshoot a problem.

Cloudflare, one of the companies that publicly disclosed impact, offered a concrete example. It found 104 of its own API tokens in the exfiltrated support-case data, rotated all of them, and told customers to treat any token, password, or log shared in a support ticket as compromised. The lesson is uncomfortable and universal: your CRM and support systems are full of other systems' keys, and a breach of the CRM becomes a breach of everything those keys unlock.

A number of well-known security and technology firms confirmed they were affected, including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, Tenable, PagerDuty, SpyCloud, Tanium, and Bugcrowd. Reporting placed the number of affected organizations in the hundreds, with some coverage citing more than 700, though Google's own advisory described the scope as numerous instances rather than publishing a precise count. The total number of organizations and records was never authoritatively disclosed.

Scope and attribution, stated carefully: Google Threat Intelligence Group tracks this activity as UNC6395, and Cloudflare tracks the same activity as GRUB1. Google did not definitively attribute it to a named group, so reports linking it to broader crews should be read with caution. Google also emphasized that its own Workspace and Alphabet systems were not compromised, and that Google is not a Drift customer. It was affected only through a very small number of Workspace accounts tied to a separate Drift Email integration, for which tokens were also revoked.

The Blind Spot: SaaS Talking to SaaS

Traditional vendor risk management assesses vendors one at a time. You review Salesforce. You review Salesloft. You may never review the OAuth grant that connects Drift to your Salesforce, because it is not a vendor, it is a setting, often enabled by a marketing team without a security review. That connection is a fourth-party relationship in disguise, the same hidden concentration risk that catches teams who assess only the vendors directly in front of them.

OAuth tokens make the problem worse in three specific ways. They are long-lived, often persisting for months or years until someone revokes them. They carry broad scopes, frequently far more access than the integration actually needs. And they are invisible in most monitoring, because the resulting API traffic looks like the legitimate application doing legitimate work. A single stolen token set enabled bulk export with no password and no MFA, from an account nobody was watching.

This is identity-layer supply chain risk, and it rhymes with earlier lessons. When an identity or authentication vendor is compromised, the blast radius is every downstream system that trusts it, a pattern we traced through the Okta and Lapsus$ incident. Here the trusted party was not a login provider but a marketing chatbot, which is precisely why it slipped past so many review processes.

What TPRM Teams Should Do

The Drift campaign converts a vague worry about integrations into a concrete checklist. Several actions follow directly from how the attack worked.

TPRM Lesson Learned: The Salesloft Drift breach shows that the connections between your vendors can be more dangerous than the vendors themselves. An OAuth token linking an overlooked AI chatbot to your CRM gave attackers password-free, MFA-free, bulk access to hundreds of companies' data, and the secrets buried inside it. Vendor inventories that stop at named suppliers miss this entirely. Effective third-party risk management enumerates every SaaS-to-SaaS integration, minimizes and expires OAuth scopes, monitors for anomalous API behavior, and treats CRM and support content as a credential store to be protected. Platforms like Fair TPRM help teams map these fourth-party connections and assess them as part of the vendor lifecycle, so an integration nobody reviewed does not become the breach nobody saw coming.

Protect Your Organization from Third-Party Risk

Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.

Free Demo Download Source

Sources & References

  1. Data Theft from Salesforce Instances via Salesloft Drift - Google Threat Intelligence Group, August 2025
  2. Cloudflare's response to the Salesloft Drift incident - Cloudflare, September 2, 2025
  3. Salesloft says Drift data thefts linked to March GitHub account hack - TechCrunch, September 8, 2025
  4. Salesloft Drift attack root cause traced to GitHub and OAuth - CyberScoop, 2025
  5. Security firms disclose impact from Salesloft Drift breach - The Record, 2025
  6. Cloudflare hit in Salesloft Drift supply chain attack - BleepingComputer, 2025
  7. Security firms hit by Salesforce Salesloft Drift breach - SecurityWeek, 2025