When Salesforce Becomes a De Facto Credential Repository: Lessons from the Drift OAuth Breach
None
<div data-elementor-type="wp-post" data-elementor-id="43480" class="elementor elementor-43480" data-elementor-post-type="post"> <div class="elementor-element elementor-element-024fa2f ccustom_blogdetail_topsec e-flex e-con-boxed e-con e-parent" data-id="024fa2f" data-element_type="container" data-settings='{"background_background":"classic"}'> <div class="e-con-inner"> <div class="elementor-element elementor-element-988554d elementor-widget elementor-widget-text-editor" data-id="988554d" data-element_type="widget" data-widget_type="text-editor.default"> <div class="elementor-widget-container"> <p><em>TL;DR: The recently disclosed Salesforce data-theft attacks highlight two distinct non-human identity failures. First, Drift’s handling of OAuth tokens broke down, leading to credential compromise at scale. Second, Salesforce had become a warehouser of sensitive credentials even though it was never intended to function as a secrets custodian. These two weaknesses combined to create the conditions the threat group behind the attacks exploited.</em></p> <p>Breaches that involve Salesforce are not just another entry in the cyber incident tally list.</p> <p>When attackers compromise instances of the SaaS CRM giant, they are accessing the central functions of an enterprise. The widely deployed platform typically holds customer records, sales data, and a web of integrations that extend deep into the business operations for tens of thousands of worldwide customers.</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div> <p>That is what made the <a href="https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift" rel="noopener">recent disclosure</a> by Google and Mandiant so significant. The adversaries, identified as hacker group UNC6395, stole Salesforce <a href="https://aembit.io/blog/tag/oauth/" rel="noopener">OAuth</a> tokens and used them to impersonate a trusted integration with Drift, a sales automation application that connects directly to Salesforce. With that access, they systematically queried Salesforce objects and exfiltrated data.</p> <p>The attackers did not break into Salesforce directly. They relied on stolen Salesforce OAuth tokens provisioned through Drift, which allowed them to act as a legitimate application. That trust enabled large-scale data exports, including embedded credentials hidden in Salesforce records. By chaining together weak token management and poor credential hygiene, they converted access to a CRM system into access to cloud infrastructure. To minimize detection, they deleted the query jobs once complete, though log traces remained.</p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="b2441b2eb9414c9e95f4c0f6-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="b2441b2eb9414c9e95f4c0f6-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div> <p>What they were after, however, went beyond contact lists and pipeline information. In many Salesforce instances, sensitive credentials such as AWS keys, Snowflake tokens, and service passwords end up stored within records. This effectively turned Salesforce into a de facto credential repository and gave attackers the opportunity to move far beyond CRM data. Once uncovered, these secrets can be leveraged to reach far beyond Salesforce itself to conduct other, potentially more damaging, attacks.</p> <p>Still, it is tempting to treat this as a narrow incident affecting only those who installed Salesloft Drift. That would be a mistake. The real story is not Drift itself, but the structural reality of how enterprises extend trust. </p> <p>New findings late Thursday from Google’s Threat Intelligence Group and Mandiant <a href="https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift" rel="noopener">show that </a>UNC6395’s activity was not confined to Salesforce. Attackers also abused OAuth tokens tied to the Drift Email integration, which in some cases exposed connected Google Workspace accounts. This reinforces that token abuse is not an isolated Salesforce-related incident but part of the broader challenge of how workloads and services exchange and honor OAuth tokens across platforms.</p> <p>Connected applications receive broad permissions, and the tokens that represent them are often long-lived. Security teams often lack visibility into how these non-human identities are being used, or even how many of them exist. Human-focused identity protections do nothing to stop this type of misuse, although their principles can be extended to the non-human identity realm with <a href="https://aembit.io/blog/the-what-where-and-why-of-workload-identity-and-access-management/" rel="noopener">workload IAM</a>.</p> <h4>Recommended Actions</h4> <p>Salesforce and Salesloft have already revoked the affected tokens and removed Drift from the AppExchange, but organizations should not treat the matter as contained. The compromise underscores structural issues around non-human identity management and secrets sprawl. </p> <p>Firstly, from an incident response perspective, organizations should:</p> <ul> <li aria-level="1">Rotate any API keys, tokens, and passwords that may have been stored in Salesforce objects, assuming exposure. (<a href="https://aembit.io/resources/aembits-guide-to-successful-credential-rotation-projects/" rel="noopener">Here’s a helpful guide</a>.) </li> <li aria-level="1">Conduct a thorough review of <a href="https://help.salesforce.com/s/articleView?id=sf.real_time_event_monitoring_overview.htm&language=en_US&type=5" rel="noopener">Salesforce Event Monitoring</a> logs to identify suspicious query patterns, especially those linked to Drift or other integrations. </li> <li aria-level="1">Revisit connected application permissions and reduce them to the minimum scopes required for operation. </li> <li aria-level="1">Establish and maintain an inventory of non-human identities and their associated credentials, including OAuth tokens and service accounts, so that trust relationships are visible and accountable. </li> <li aria-level="1">Enforce IP restrictions and login ranges for connected applications to limit their operational surface area.</li> </ul> <p>This incident also highlights a structural weakness that quick remediation cannot fix. Long-lived tokens and accumulated secrets create fragile trust boundaries, and those boundaries will only become more strained as <a href="https://aembit.io/blog/the-emerging-identity-imperatives-of-agentic-ai/" rel="noopener">agentic AI</a> and other autonomous services <a href="https://aembit.io/blog/a-catch-up-guide-to-authentication-for-agentic-ai/" rel="noopener">increase the number</a> of non-human identities moving between SaaS platforms. </p> <p>Integrations between SaaS platforms often rely on long-lived tokens passed back and forth with little oversight. What is missing is a way to mediate that trust – an identity-aware, policy-based proxy <a href="https://aembit.io/blog/introducing-one-security-token-service-for-all-your-clouds/" rel="noopener">that can handle</a> token exchanges securely, limit scope, and provide visibility across applications. In other contexts, such proxy models already exist. Extending that same approach to SaaS-to-SaaS connections may be one of the few ways to prevent a single compromised token from cascading into a wider breach.</p> <p>The lesson is not to manage secrets more aggressively, but to manage access directly. Tokens live too long, secrets sprawl into platforms not designed to hold them, and third-party integrations receive more trust than they should. Until organizations <a href="https://aembit.io/blog/there-is-no-mfa-for-machines-do-this-instead/" rel="noopener">apply the same rigor</a> to non-human identities as they do to human accounts incidents like the Salesforce–Drift compromise will remain inevitable.</p> <p>For more information how Aembit can help, visit <a href="http://aembit.io/" rel="noopener">aembit.io</a>.</p> </div> </div> </div> </div> </div><p>The post <a href="https://aembit.io/blog/when-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach/">When Salesforce Becomes a De Facto Credential Repository: Lessons from the Drift OAuth Breach</a> appeared first on <a href="https://aembit.io/">Aembit</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/08/when-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach/" data-a2a-title="When Salesforce Becomes a De Facto Credential Repository: Lessons from the Drift OAuth Breach"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fwhen-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach%2F&linkname=When%20Salesforce%20Becomes%20a%20De%20Facto%20Credential%20Repository%3A%20Lessons%20from%20the%20Drift%20OAuth%20Breach" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fwhen-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach%2F&linkname=When%20Salesforce%20Becomes%20a%20De%20Facto%20Credential%20Repository%3A%20Lessons%20from%20the%20Drift%20OAuth%20Breach" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fwhen-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach%2F&linkname=When%20Salesforce%20Becomes%20a%20De%20Facto%20Credential%20Repository%3A%20Lessons%20from%20the%20Drift%20OAuth%20Breach" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fwhen-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach%2F&linkname=When%20Salesforce%20Becomes%20a%20De%20Facto%20Credential%20Repository%3A%20Lessons%20from%20the%20Drift%20OAuth%20Breach" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fwhen-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach%2F&linkname=When%20Salesforce%20Becomes%20a%20De%20Facto%20Credential%20Repository%3A%20Lessons%20from%20the%20Drift%20OAuth%20Breach" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://aembit.io/">Aembit</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Dan Kaplan">Dan Kaplan</a>. Read the original post at: <a href="https://aembit.io/blog/when-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach/">https://aembit.io/blog/when-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach/</a> </p>