.png){kind=small}
Hackers used compromised OAuth tokens for the third-party AI chat bot - Salesloft Drift - to export large volumes of data from Salesforce instances of hundreds of organizations.
What Exactly Happened in the Breach?
In early August 2025, a threat actor Google tracks as UNC6395 stole OAuth tokens tied to the Drift app (owned by Salesloft).
Those tokens let hackers act as the trusted Drift app inside customer SaaS tenants - most notably Salesforce. The hackers then queried and bulk-exported large volumes of data from hundreds of orgs’ Salesforce instances.
On August 20th, Salesloft (with Salesforce) revoked all Drift tokens, and Salesforce pulled the app from AppExchange while the investigation continued.
Google Workspace customers were affected, along with major security firms like Cloudfare, Zscaler, and Palo Alto Networks.
How Did it Happen?
The short answer → Drift was compromised by malicious hackers with the intent to steal data.
The attackers obtained Drift-issued OAuth access/refresh tokens and used them to authenticate to customers’ Salesforce (and some other connected apps) as the Drift “connected app.”
From there, they ran structured SOQL queries and, in cases like Cloudflare, a Salesforce Bulk API job to exfiltrate large volumes of data data - then deleted the job to reduce traces.
Who Was Affected?
- Cloudflare - support case text (no attachments) was exfiltrated; customers were notified and some tokens rotated.
- Zscaler - contact details, licensing/commercial metadata, and some support case content; warns of phishing risk.
- Palo Alto Networks - business contacts, internal sales account info, and basic case data; products/systems not affected.
- Google Workspace (Drift Email integration) - a very small number of accounts that had explicitly integrated with Drift Email were accessed; Google revoked those specific tokens and disabled the integration.
And more.
What This Means for The Future of SaaS Security
This incident could have been prevented.
Here’s 4 key lessons for security teams and takeaways from the Salesloft Drift breach:
1. SaaS-to-SaaS trust is an increasing risk
Attackers don’t need to compromise your endpoints if they can steal tokens from a trusted app - in this instance, it was Drift. Once they inherit the scopes granted to that integration, they have the same power (and access) as the app itself.
Security teams should treat SaaS-to-SaaS trust & third party apps/extensions seriously - with explicit vetting criteria, automated policies, monitoring, and remediation workflows.
2. Continuous monitoring is non-negotiable
OAuth token misuse often looks like “normal app activity.” The only way to detect abuse is to continuously monitor logs and API events for anomalies: unusual user-agents, bulk data queries, or drift in app usage patterns.
Building detections for connected app behavior and plugging logs into automated workflows can shrink dwell time from weeks to hours.
3. Shadow apps are silent but deadly entry points
Most orgs underestimate the number of SaaS connectors their workforce has authorized. These “shadow apps” can carry privileged access and live outside security or IT’s radar.
Security teams need discovery tools and platforms that map every SaaS integration, classify them by risk, offer tailored recommendations, and remediate unapproved connections. Without visibility, you can’t control your true attack surface.
4. Sec teams need to harden configurations and access controls
Misconfigurations remain overlooked when it comes to SaaS breaches:
- Overly broad OAuth scopes
- Tokens with excessive lifetimes
- Missing MFA or IP restrictions
- Unmonitored service accounts
Enforcing least privilege for integrations, regularly reviewing connected apps, and adding guardrails and automated policies can massively limit - if not eliminate entirely - the detrimental impact.
How DoControl Prevents Incidents Like This
DoControl directly addresses the gaps exposed by the Salesloft Drift breach:
1. By continuously monitoring SaaS-to-SaaS connections and unauthorized shadow apps, DoControl provides visibility into every connected application - approved or shadow - and flags risky integrations before attackers can exploit them. This is done through automated workflows that work 24/7 - ensuring that coverage and protection is constant and nothing slips through the cracks.
2. Our automated event monitoring and anomaly detection helps catch suspicious activity like bulk queries, burst downloads, or unauthorized API use in real time. This happens in real time via our workflows - engaging managers and security teams only when needed to ensure comprehensive, 4/7 protection.
3. Beyond visibility, DoControl enforces least-privilege access and access governance controls at scale, ensuring that OAuth tokens and service accounts only have the minimum permissions required - if users need permission at all.
Final Thoughts
The bigger picture? SaaS security is no longer just about securing the SaaS environment itself - it’s about protecting the ecosystem of interconnected apps, protecting all vendors involved, and mitigating the ripple effects of one simple mistake.
Future-ready teams will focus on visibility, anomaly detection, shadow app control, and proactive configuration hardening to defend against this new wave of supply-chain-style attacks.
The ripple effects of this breach made it 100x worse than it initially was - with so many companies left vulnerable and cleaning up for a mistake that wasn’t even their fault in the first place.
This incident is a huge reminder - you're only as secure as your weakest vendor.
Secure your SaaS with DoControl.
Want to Learn More?
- See a demo – click here
- Get a FREE Google Workspace Risk Assessment – click here
- See our product in action – click here
.png)