SalesLoft Drift OAuth supply-chain breach

What happened

On 26 August 2025, the conversational-marketing platform SalesLoft Drift disclosed a security incident affecting OAuth tokens issued by Drift to integrate with customers’ Salesforce environments. The disclosure landed in parallel with notifications from a sequence of recognisable Drift customers — TransUnion, Workday, Cisco, Cloudflare, Palo Alto Networks, Zscaler, Qantas, Chanel, Farmers Insurance, and Google among others — each describing data exfiltration from their Salesforce tenants by way of the same compromised integration path.

The financial-services credit bureau TransUnion’s 8-K filing put a hard number on at least one slice of the impact: 4.46 million US consumer records exposed, comprising names, contact details, and credit-application information. Other affected organisations disclosed smaller volumes but consistent patterns: contact data, sales-pipeline records, support-ticket histories, and in several cases internal threat-intelligence artefacts that had been tagged into Salesforce by their security teams. Qantas — already on the year’s incident list following a separate Salesforce-connected exfiltration in June — disclosed an additional exposure traceable to Drift.

The Google Threat Intelligence Group and Mandiant, working jointly, attributed the activity to a cluster they tracked as UNC6395 with overlap to the broader ShinyHunters criminal enterprise. The campaign was unusually broad for an OAuth-token-abuse case; the Drift compromise gave the attackers a single key that opened doors at hundreds of customer organisations.

How it worked

Drift, the conversational marketing and chatbot product owned by SalesLoft, integrates with customer Salesforce environments via standard OAuth. When a Drift customer authorises the integration, Salesforce issues Drift a long-lived refresh token scoped to a configurable set of Salesforce object permissions — typically broad enough to support Drift’s marketing automation use cases, which in practice means read access to leads, contacts, accounts, opportunities, and case data, and write access to a subset of those.

The compromise occurred on Drift’s side of the integration. According to the Mandiant analysis, the attackers gained access to the production environment housing Drift’s OAuth token store. Once inside, they harvested the refresh tokens for hundreds of customer Salesforce tenants. With those tokens in hand, the attackers were able to issue access tokens against each customer’s Salesforce environment, masquerading as a legitimate Drift integration call, and run bulk export queries against the data accessible under the integration’s permission scope.

Two characteristics made the operation hard to detect from the customer side. First, the requests came from Drift’s IP space — the ranges customers had explicitly allowlisted — and looked, in aggregate, like normal Drift integration traffic. Second, the Salesforce audit log entries showed Drift as the calling service principal, which is exactly what audit logs would show for legitimate Drift activity. Detecting the abuse required spotting volumetric anomalies — bulk Salesforce queries running outside Drift’s normal usage envelope — rather than any clearly-malicious request.

The attackers did not stay quiet. Mandiant’s analysis suggests they prioritised data they could quickly monetise, including credentials and authentication tokens that had been pasted into Salesforce records — a surprisingly common practice that came as an unwelcome surprise to several affected security teams. ShinyHunters listed a subset of the data on their leak site, with the usual extortion mechanics; payment status varied across victims.

Timeline

• Mid-July 2025 — Initial compromise of Drift production environment; OAuth refresh-token harvesting begins.
• July–August 2025 — Sustained data exfiltration from customer Salesforce tenants via stolen tokens.
• 20 August 2025 — Salesforce detects anomalous Drift integration traffic in a subset of customer tenants; alerts SalesLoft.
• 26 August 2025 — SalesLoft publicly discloses the incident; revokes affected OAuth tokens; notifies customers.
• 27–29 August 2025 — Customer disclosures begin: TransUnion, Workday, Cisco, Cloudflare, Palo Alto Networks, Zscaler.
• September 2025 — Google Threat Intelligence Group and Mandiant publish joint UNC6395 analysis; ShinyHunters lists initial victim data.
• September–November 2025 — Additional customers disclose; TransUnion 8-K quantifies 4.46M-record exposure; class-action filings begin.

What defenders should learn

OAuth integrations have, over the past five years, quietly become some of the most consequential trust relationships in enterprise IT. A typical mid-sized SaaS-heavy organisation has hundreds of active OAuth grants, each a potentially long-lived authorisation scoped to a non-trivial slice of the connected service’s data. Most organisations cannot produce, on demand, a list of which of those integrations have which scopes against which sensitive systems, who owns each one, and what would be lost if the upstream provider were compromised.

The Drift incident is the second major OAuth-token-abuse case of the year, after a number of smaller precursors. The pattern is now stable enough to act on. The first thing to do is build the inventory. The second is to set a default expectation that integrations are scoped to the minimum data set needed and revoked when no longer used. The third — and this is where the operational gap is largest — is to instrument the connected services for behavioural detection of integration abuse, on the assumption that the integration’s identity will look legitimate even when the activity is not.

For organisations thinking about Zero Trust beyond identity-and-network, OAuth is the next layer to bring under explicit management. Andy will write more on the segmentation implications when time allows; the immediate operational point is independent of the framing.