Inside the Salesloft Breach: A New Era of Salesforce Attacks
None
<div class="rich-text-3 w-richtext" morss_own_score="5.447216890595009" morss_score="97.18970874189472"> <figure><img decoding="async" src="https://cdn.prod.website-files.com/606d79a3190d3a764c032a2c/68b0a4458191d28a74c941b8_Salesloft%20breach%20image-1.png"></figure> <p>The spotlight has finally swung toward the integration layer, and what’s emerging should worry every SaaS security leader. </p> <p>Another Salesforce breach. But <a href="https://thehackernews.com/2025/08/salesloft-oauth-breach-via-drift-ai.html">this one</a> isn’t just another credential theft story; it’s more calculated. Attackers didn’t just gain access; they systematically exported sensitive data from hundreds of Salesforce instances. However, because the initial compromise involved <a href="https://www.grip.security/glossary/what-is-open-authorization-oauth">OAuth tokens,</a> not credentials, attackers bypassed logins, slipped past MFA, and operated undetected until the data was long gone. </p> <blockquote><p><em>“A threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances.” – Salesloft statement </em></p></blockquote> <p>This wasn’t an isolated incident. It’s the latest chapter in a larger campaign targeting Salesforce customers through OAuth token abuse. These tokens, essentially the skeleton keys of SaaS identity, were used to slip past login screens, bypass <a href="https://www.grip.security/glossary/mfa">MFA</a>, and harvest data directly from Salesforce environments. No alerts. No credential stuffing. Just quiet, large-scale exfiltration.</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div> <p></p> <p><strong>And in a reent update, the scope of compromise has expanded.</strong></p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="befa2271975384f150dd4690-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="befa2271975384f150dd4690-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div> <p><strong></strong></p> <p>New findings from Google’s Threat Intelligence Group (GTIG) confirm the impact of this breach extends beyond Salesforce. OAuth tokens linked to multiple Salesloft Drift integrations—not just Salesforce—may be compromised and should be treated as high risk.</p> <p>Investigators confirmed that the attackers also compromised OAuth tokens for the “Drift Email” integration. Using these tokens, they accessed email from a small number of Google Workspace accounts specifically configured to integrate with Salesloft. No other Workspace accounts were affected.</p> <p>In response, Google revoked the compromised tokens and disabled the Drift Email integration with Google Workspace while the investigation continues.</p> <h2>A Different Class of Data Breach </h2> <p>Compare this to the <a href="https://www.grip.security/blog/workday-breach-joins-growing-wave-2025-hackers-playground">Workday breach</a> we recently covered. That attack leaned on social engineering. Phone calls, impersonation, phishing for contact data. The kind of breach we’ve seen before. </p> <p>But the Salesloft incident? It signals a shift. This wasn’t about tricking users, but exploiting the connection and permissions between applications. Specifically, attackers exploited the OAuth token between Salesloft and Salesforce, which was granted through a Drift chatbot integration. GTIG’s findings now confirm the attack wasn’t limited to Salesforce. Other Drift-connected integrations, including email, were also impacted. That token, once issued, became a master key used to quietly unlock Salesforce data across multiple tenants. No phishing required. Just a compromised integration and an exposed token. </p> <p>OAuth flows exist for convenience, but they’re rarely scrutinized until they’re abused. Salesloft wasn’t the end target. Salesforce was. The Salesloft-Drift integration served as the first bridge, but GTIG’s findings make clear the attacker leveraged additional integrations to widen the scope of access. That’s the playbook now: compromise a less-guarded app, hijack its tokens, and move laterally into high-value platforms like Salesforce.</p> <figure><img decoding="async" src="https://cdn.prod.website-files.com/606d79a3190d3a764c032a2c/68b47ac2f1841fccdc755d27_Quote%20Card-%20Ben%20Robertson_-1-min.png"></figure> <h2>Takeaways from the Salesloft Breach </h2> <p>Most SaaS security conversations focus on the apps themselves: securing user accounts, detecting misconfigurations, enforcing MFA. But let’s not overlook the exposure often lies between the apps, hidden in integrations, permissions, and trust relationships. OAuth tokens don’t expire when employees leave. They don’t always show up in centralized logs. And they can persist for months or years, quietly granting unauthorized access to sensitive data. </p> <p>The rise of these attacks points to a blind spot. It’s not just about <a href="https://www.grip.security/glossary/shadow-saas">shadow SaaS</a> anymore. It’s about <strong>shadow integrations: </strong>the connected web of app relationships that no one is monitoring. Sales teams connect Drift to Salesforce. Marketing layers in analytics tools. Customer support installs help desk apps. One misconfigured integration, one breached app, and your Salesforce tenant becomes the exit ramp for exfiltration. This breach underscores how vulnerable SaaS environments become when integrations aren’t monitored, scoped, or continuously reviewed.</p> <h3>This Isn’t Just a Salesforce Problem </h3> <p>The tactic is spreading. Anywhere OAuth is used, and that’s virtually every modern SaaS platform, is vulnerable. Attackers know that compromising a user is hard. Compromising a token buried inside a SaaS integration? Much easier. And far less visible. </p> <p>The cloud access plane is being reshaped in real time. And while organizations scramble to plug holes and revoke tokens, the more fundamental issue remains: too many integrations, too little oversight, and far too much implicit trust. </p> <h2>Preventing a Similar Breach in Your Organization </h2> <p>It’s time to expand the SaaS security conversation beyond user-to-app relationships and include app-to-app trust chains. That means: </p> <ul> <li><strong>Inventorying all OAuth-based integrations, </strong>even the obscure ones. </li> </ul> <ul> <li><strong>Revoking unused tokens</strong> and regularly rotating active ones. </li> </ul> <ul> <li><strong>Monitoring token usage patterns</strong>, especially for lateral access into sensitive platforms like Salesforce. </li> </ul> <ul> <li><strong>Applying least privilege principles</strong> to apps, not just users. </li> </ul> <p>Without visibility into these trust chains, attackers can—and will—move silently between apps. The Salesloft breach is proof. </p> <h2>How Grip Helps </h2> <p><a href="https://www.grip.security/">Grip</a> automatically discovers every SaaS integration, including misconfigured connections and <a href="https://www.grip.security/use-case-library/discover-and-manage-risky-oauth-scopes">risky OAuth scopes</a>, and continuously monitors token use across environments. If an integration is compromised or misused, Grip detects suspicious activity, flags risky tokens, and enables one-click remediation. This level of control is what stops an OAuth breach from becoming a data exfiltration event. </p> <h2>Don’t Wait for the Next OAuth Breach </h2> <p>We’re past the era of simple phishing attacks. Today’s adversaries understand SaaS identity gaps and OAuth permissions better than most defenders. They’re bypassing endpoints, moving laterally through integrations, and exploiting trust relationships organizations don’t even know exist. And if you’re not watching that path, you won’t see the breach coming. </p> <p><a href="https://www.grip.security/demo?utm_source=web&utm_medium=blog&utm_campaign=content">Book time with our team</a> to learn how Grip gives you visibility into your hidden OAuth risks and stops integration-driven data breaches before they happen. </p> <p></p> <h3>Related Content</h3> <p><a href="https://www.grip.security/blog/workday-breach-joins-growing-wave-2025-hackers-playground">Workday Breach Joins a Growing Wave: Why the Second Half of 2025 is a Hacker’s Playground</a></p> <p><a href="https://www.grip.security/blog/fake-salesforce-app-breached-google">How a Fake Salesforce App Breached Google and 30+ Global Brands</a></p> <p><a href="https://www.grip.security/getting-started-itdr-practical-guide?utm_source=web&utm_medium=blog&utm_campaign=content">Strengthening your defenses with ITDR</a></p> <figure><a href="https://www.grip.security/getting-started-itdr-practical-guide?utm_source=web&utm_medium=blog&utm_campaign=content"><img decoding="async" src="https://cdn.prod.website-files.com/606d79a3190d3a764c032a2c/6881115c79d011e5a47bc27b_GettingStartedITDR.png"></a></figure> <p></p> <p></p> </div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/08/inside-the-salesloft-breach-a-new-era-of-salesforce-attacks/" data-a2a-title="Inside the Salesloft Breach: A New Era of Salesforce Attacks"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Finside-the-salesloft-breach-a-new-era-of-salesforce-attacks%2F&linkname=Inside%20the%20Salesloft%20Breach%3A%20A%20New%20Era%20of%20Salesforce%20Attacks" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Finside-the-salesloft-breach-a-new-era-of-salesforce-attacks%2F&linkname=Inside%20the%20Salesloft%20Breach%3A%20A%20New%20Era%20of%20Salesforce%20Attacks" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Finside-the-salesloft-breach-a-new-era-of-salesforce-attacks%2F&linkname=Inside%20the%20Salesloft%20Breach%3A%20A%20New%20Era%20of%20Salesforce%20Attacks" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Finside-the-salesloft-breach-a-new-era-of-salesforce-attacks%2F&linkname=Inside%20the%20Salesloft%20Breach%3A%20A%20New%20Era%20of%20Salesforce%20Attacks" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Finside-the-salesloft-breach-a-new-era-of-salesforce-attacks%2F&linkname=Inside%20the%20Salesloft%20Breach%3A%20A%20New%20Era%20of%20Salesforce%20Attacks" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.grip.security">Grip Security Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Grip Security Blog">Grip Security Blog</a>. Read the original post at: <a href="https://www.grip.security/blog/salesloft-breach-oauth-salesforce-attacks">https://www.grip.security/blog/salesloft-breach-oauth-salesforce-attacks</a> </p>