The Salesforce / Salesloft-Drift Breach. How Far the Blast Radius Really Goes...

Beyond the Firewall... How Lateral Movement Now Lives in Your Integrations

Jim Leone

9/19/20253 min read

Beyond the Firewall... How Lateral Movement Now Lives in Your Integrations

When news breaks of yet another big breach, the headlines usually stop at “what was stolen” and “who was hit.” But the Salesforce / Salesloft-Drift breach is different. This isn’t just about a single vendor compromise, it’s about how interconnected SaaS ecosystems turn one weak link into an explosion that ripples across hundreds of companies.

This is what security folks call the blast radius, and this one is massive.

What Actually Happened

Here’s my summary...

In early August, threat actors (tracked as UNC6395 and UNC6040) got hold of OAuth and refresh tokens tied to the Salesloft Drift app.

Those tokens unlocked access to connected Salesforce instances across hundreds of companies, without ever breaching Salesforce itself.

Attackers quietly queried data, exfiltrated records, and in some cases accessed sensitive information embedded in support cases and attachments.

By the time the breach was discovered, the attackers had been active for days, with legitimate-looking access that blended in with normal API traffic.

Why the Blast Radius Is So Big...

The real story here isn’t “a breach happened.” It’s how the compromise spread. Let’s break down the dimensions of this blast radius...

  • Number of organizations--> More than 700+ companies are confirmed or suspected affected. From tech giants to smaller enterprises, anyone using that integration was exposed.

  • Type of data--> At minimum, business contact info. At worst, sensitive case data including credentials, API keys, or logs that customers pasted into tickets.

  • Breadth of access--> OAuth tokens gave attackers API access that looked valid. They could run Salesforce queries (SELECT * FROM Account, User, Case) like any trusted app.

  • Cross-vendor spread--> It didn’t stop at Salesforce. Google had to revoke Drift’s Gmail/Workspace integrations, and other SaaS platforms are reviewing ties as well.

  • Time in system--> The attackers had at least a week of unmonitored access, more than enough time to map environments, grab data, and pivot.

That’s not a breach. That’s a chain reaction.

Let's Get Lateral! Those Hidden Enablers...

So how did this go from “one app got hit” to “hundreds of orgs compromised”? A few painful truths:

  1. Overly broad permissions - Integrations often ask for more than they need, and admins click “accept.”

  2. Long-lived tokens - OAuth refresh tokens don’t expire quickly, giving attackers a long runway.

  3. Secrets in the wrong place - Too many orgs drop passwords, API keys, or logs into support cases. Those become treasure maps when stolen.

  4. Blind trust in third parties - This one is HUGE, and very common. Salesloft Drift was assumed safe until it wasn’t. That trust chain is exactly what attackers exploited.

  5. Monitoring blind spots - Normal-looking API traffic often escapes detection. If you can’t see what integrations are doing, you can’t stop them.

Why This Matters (Even If You Weren’t Hit)...

Think about this: your company might have bulletproof firewalls, EDR, and SIEM. But the weakest vendor integration can still open the door. That’s what this incident proves.

And the consequences go beyond stolen contacts...

  • Credential misuse - if secrets were stolen, expect cloud pivots into AWS, Snowflake, Azure, etc.

  • Targeted phishing - attackers now have fresh contact lists with job titles.

  • Compliance fallout - GDPR, CCPA, PCI, SOC2 … regulators don’t care if it was “your vendor.”

This isn’t just Salesforce’s problem, or Salesloft’s problem. It’s an ecosystem problem.

If your org touches Salesforce, Salesloft, Drift, or similar SaaS integrations, take action now -->

  • Audit your integrations - know what apps are connected, and what scopes they have. Remove the junk.

  • Rotate tokens and credentials - don’t let long-lived tokens linger.

  • Ban secrets in support cases - train teams: no passwords, no keys in tickets. Ever.

  • Monitor API usage - look for unusual queries, large data pulls, or odd locations.

  • Demand vendor transparency - push SaaS providers for visibility into token use, revocation, and incident handling.

  • Update your playbooks - assume your next breach won’t start with you, it’ll start with your vendor.

So, What's the Big Picture?

The Salesforce / Salesloft-Drift breach is a reminder that the security perimeter no longer exists. Your vendors are your perimeter. Your integrations are your attack surface.

When one app gets popped, it’s not just “their breach.” It’s yours too.

The real takeaway... stop measuring breach size only by records stolen. Start measuring by the blast radius.

The IP HighWay

Stay updated with the latest IT security news.

info@iphwy.com

© 2025. All rights reserved.

Visit my personal page -->