A quiet storm swept through the enterprise SaaS world in August 2025. Salesforce, the largest player in the cloud CRM world, wasn’t breached directly. No zero-day in its infrastructure was exploited, no misconfigured firewall was to blame. Instead, the entry point came from a seemingly harmless OAuth integration: Drift, a Salesloft-owned app for chat and engagement.
By stealing OAuth tokens, attackers sidestepped all the normal defenses—multi-factor authentication (MFA), IP allowlists, even security-conscious users. The Salesforce Drift breach has become a textbook case of an OAuth supply chain attack, showing how fragile enterprise trust models really are.
OAuth Supply Chain Attack 101
Before we dive into the breach timeline, let’s unpack why OAuth is so dangerous when abused.
OAuth (short for “Open Authorization”) was designed to let one app access another app’s data without handing over your username and password. Click a button, approve the connection, and suddenly Salesforce and Drift are best friends.
The problem? OAuth tokens don’t expire quickly. They often carry broad permissions. And once granted, they bypass MFA. Think of them less like house keys and more like skeleton keys: invisible, reusable, and impossible to revoke until someone notices.
This makes OAuth a dream target for attackers—and a nightmare for defenders.
The Salesforce Drift Breach: Timeline of a SaaS Heist
The Drift breach wasn’t loud. No ransomware splash screens, no service outages. Instead, it unfolded like a slow-motion bank robbery.
August 8–18, 2025: The Silent Harvest
Attackers tracked as UNC6395 (sometimes referred to as GRUB1) began pulling data out of Salesforce environments using stolen OAuth tokens from Drift. The scope was chilling:
- Customer records – user accounts, opportunities, and case data.
- Secrets – AWS keys, Snowflake tokens, even passwords stored in support cases.
- Business intelligence – reports and exports that mapped how companies operate.
They used SOQL queries and bulk data exports, then deleted the jobs to erase their footprints. It was clean, quiet, and invisible to most security teams.
August 20: Emergency Brake Pulled
Salesloft detected suspicious activity. The company revoked Drift’s OAuth tokens and pulled Drift from Salesforce’s AppExchange. Salesforce, for its part, issued advisories urging customers to re-authenticate integrations, rotate credentials, and double-check access logs.
The damage, however, was already done.
August 26–28: The Scope Widens
Google’s Threat Intelligence Group confirmed the breach wasn’t isolated. Hundreds of Salesforce customers were compromised. Meanwhile, Obsidian Security revealed that attackers also abused OAuth connections into Google Workspace and Gmail—expanding the breach far beyond CRM.
September: Victims Step Forward
By September, the victim list read like a cybersecurity who’s-who: Cloudflare, Palo Alto Networks, Zscaler. Each confirmed data loss ranging from customer contact information to support-case details to leaked credentials.
Salesloft announced Drift would go offline to rebuild its security posture, bringing in incident response firms like Mandiant. But the trust was already broken.
Why It Worked: OAuth as the Attack Vector
This wasn’t a case of cutting-edge malware. It was OAuth itself that made the attack so effective.
- Invisible to defenders – Most enterprises don’t log or monitor third-party app activity in detail. OAuth tokens live in the shadows.
- MFA bypassed – Once a token exists, MFA is irrelevant. Tokens authenticate without user input.
- Overprivileged tokens – Many OAuth integrations ask for “all access” permissions, and enterprises routinely grant them.
- Secrets in SaaS – Enterprises store API keys and credentials in CRMs, tickets, and cases. Attackers know it and go straight for them.
This combination made the Drift breach devastatingly effective.
OAuth as the New Supply Chain Weakness
For years, the phrase “supply chain attack” conjured images of compromised software updates or poisoned NPM packages. The Drift incident shifts that narrative: your supply chain is now your SaaS integrations.
When one vendor is compromised, the ripple effect hits every connected customer. It’s the same model as SolarWinds or Kaseya, but instead of backdoored binaries, it’s OAuth tokens granting trusted access.
And the scope is only growing. SaaS sprawl means enterprises rely on dozens—sometimes hundreds—of third-party integrations. Each connection is a potential supply chain bomb waiting to detonate.
What Salesforce Did Right, and Wrong
Salesforce deserves some credit. The company responded quickly once Drift confirmed the breach: removing the app, advising customers, and publishing guidance on credential rotation.
But here’s the underlying challenge: Salesforce, like most SaaS giants, has long pushed customers toward rich ecosystems of integrations. That ecosystem is a selling point. It’s also a liability.
Salesforce customers had no easy way to monitor OAuth activity, no built-in token expiry controls, and no visibility into what Drift, or any third-party, was doing with its privileges. By design, OAuth asks for trust. Once given, it’s nearly impossible to verify.
Lessons for Security Engineers
So what do we take away from the Salesforce Drift breach? A few blunt truths:
- OAuth is not safe by default – Treat every integration as a potential breach point.
- Audit your integrations – Know which apps are connected, what data they can access, and whether they need it.
- Enforce least privilege – Don’t approve “all data access” if the app only needs contacts.
- Rotate tokens – Push vendors to expire OAuth tokens regularly and support reauthentication.
- Monitor the invisible – Bulk exports, anomalous queries, or odd hours of access should light up your SIEM.
And perhaps most importantly, please stop storing secrets in SaaS records. That support case with an AWS key? It’s a ticking time bomb.
Why Does Drift OAuth Breach Matter More Than Most?
The Drift incident isn’t the first OAuth supply chain attack, but it is the loudest warning shot yet. It involved Fortune 500 companies, major cybersecurity vendors, and one of the most trusted SaaS platforms in the world.
It’s proof that OAuth tokens, once stolen, give attackers persistence and privilege without any of the usual tripwires.
As one researcher put it: “OAuth isn’t a login. It’s a skeleton key. And when it’s stolen, every connected door swings open.”
The Bottom Line: Audit Your SaaS Supply Chain Now
The Salesforce Drift breach shows the future of SaaS attacks won’t always be about exploiting flaws in the apps themselves. Instead, the real danger lies in the trusted connections between them.
If you’re a security engineer, the checklist is simple:
- Audit OAuth connections.
- Enforce least privilege.
- Monitor integration behavior.
- Assume third-party compromise will happen.
- Assume sessions are compromised and build your security tooling accordingly.
The next breach won’t start with your infrastructure or an employee account breach. It’s more likely to come from an OAuth connection you approved last year and forgot about.
