Salesloft Drift Attack: Uncertain Blast Radius of a Massive Supply-Chain Breach

Listen to this Post

Featured Image

Introduction

A recent supply-chain cyberattack has shaken the cybersecurity industry, exposing vulnerabilities across multiple organizations. The attack, targeting Salesloft’s Drift platform, has resulted in several high-profile companies disclosing data breaches, including Zscaler, Palo Alto Networks, Cloudflare, and others. While initial disclosures point to compromised tokens and stolen business data, the full scale of the attack and its long-term impact remain unknown. Experts warn that even “basic” stolen data could fuel sophisticated phishing campaigns, while the compromise of access tokens and configurations raises the risk of deeper breaches.

the Incident

The campaign began between August 8–18, when the threat actor known as UNC6395 infiltrated Salesloft’s Drift, a marketing SaaS tool, by stealing OAuth and refresh tokens from its Salesforce integration. With these tokens, attackers could impersonate legitimate applications or users, bypassing security alerts and gaining access to sensitive environments.

Salesloft revoked tokens, and Salesforce disabled integrations, but by then, downstream customers had already been impacted. Google later warned all Drift customers to treat their authentication tokens as compromised.

Companies Affected

Zscaler: Attackers accessed Salesforce data, including names, business emails, job titles, phone numbers, and case content.
Palo Alto Networks: Reported similar exposure of business contact data.
Cloudflare: Confirmed unauthorized access to its Salesforce instance. Some customer support tickets contained logs, tokens, and even passwords, raising concerns about more sensitive leaks.

Other impacted firms: Proofpoint, Tenable, and more.

The seriousness of the breach depends on what data was stored in Salesforce. While some exposures were “just” contact data, Cloudflare’s disclosure revealed that configuration details and tokens were also compromised, which is far more damaging.

Industry Concerns

Experts highlight the unique danger of OAuth tokens:

They allow attackers to access Salesforce data as if they were legitimate users.
Malicious activity may not raise alarms since the tokens are “trusted.”
The stolen tokens can bypass traditional security defenses, making breaches harder to detect.

Defensive Success: Okta’s Example

Unlike others, Okta successfully prevented a breach despite token theft attempts. Their defense relied on:

IP restrictions for inbound traffic

DPoP (Demonstrating Proof of Possession) protection for tokens

IPSIE framework, enabling shared security signals and rapid token revocation

Okta urged vendors to adopt granular token permissions and IP-based restrictions, to reduce the blast radius of such breaches.

What Undercode Say:

The Salesloft Drift supply-chain attack highlights a recurring problem in modern cybersecurity: trust in integrations. Organizations increasingly depend on SaaS ecosystems where applications share sensitive data via tokens. This interconnectedness creates efficiency, but also introduces massive risks.

OAuth tokens, while convenient, have become a double-edged sword. They are designed for seamless authorization, yet they also serve as keys that open every door once stolen. Unlike passwords, which can be quickly revoked or rotated, OAuth tokens are trusted by systems to represent valid sessions. This makes them particularly valuable to attackers and devastating when compromised.

From an attacker’s perspective, this campaign is ingenious because it exploits trust chains rather than direct vulnerabilities. Instead of breaking into each company individually, UNC6395 attacked a widely used integration point—Salesloft’s Drift—then spread laterally to hundreds of organizations. It’s a supply-chain multiplier effect, similar in strategy to SolarWinds or Kaseya.

The disclosures so far suggest two possible scenarios:

  1. Low-Impact Breach: If the majority of compromised data remains limited to business contact information, the fallout may “only” manifest in targeted phishing campaigns, spear-phishing, and vishing attacks.
  2. High-Impact Breach: If sensitive case data, tokens, or logs have been leaked (as Cloudflare hinted), then attackers may gain direct access to customer configurations, API keys, or even privileged environments.

This uncertainty fuels fear in the industry. Security leaders must assume worst-case exposure, even if official disclosures downplay severity.

The successful defense by Okta proves that layered security measures like IP restrictions and token protections can mitigate even sophisticated token-based attacks. However, most organizations still rely on default SaaS configurations, leaving them wide open. The industry now faces a critical decision: continue prioritizing convenience, or enforce stricter token governance and interoperability standards.

Ultimately, this attack is a warning shot. Supply-chain attacks will keep evolving, and without widespread adoption of protective frameworks like IPSIE, each new compromise risks rippling through the global SaaS ecosystem.

🔍 Fact Checker Results

✅ Multiple firms confirmed breaches linked to Drift and Salesforce tokens.
✅ Google verified the attacker as UNC6395 and advised treating all tokens as compromised.
❌ No evidence yet confirms whether attackers stole large volumes of highly sensitive intellectual property.

📊 Prediction

The blast radius of this attack will likely expand in the coming months as more organizations investigate their Salesforce data and integrations. Expect a wave of targeted phishing campaigns leveraging stolen business contacts, followed by potential credential abuse from exposed tokens. Industry-wide, SaaS vendors will be pressured to adopt stricter token security models, and regulators may introduce new compliance standards for managing OAuth and third-party integrations. This incident could mark a turning point in how enterprises view trust within SaaS supply chains.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.darkreading.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon