In July 2025, attackers compromised SaaS integrations at scale, exposing sensitive customer data from Zscaler, Palo Alto Networks, Cloudflare, and hundreds of other organizations.
The breach originated in Salesloft Drift, a sales engagement platform that integrates directly with Salesforce. Attackers exploited OAuth tokens, which gave them persistent access to Salesforce instances and related SaaS environments. Unlike standard user sessions, OAuth tokens often don’t expire—and in this case, once they were stolen, they became silent skeleton keys.
For enterprises that rely on SaaS platforms to manage sales, support, and customer success, this wasn’t just another breach. It was a supply-chain failure that reached directly into customer trust.
What the Salesloft Drift Breach Reveals
Third-Party SaaS Risk Is Expanding
Farmers and Aflac showed us the vendor risk in insurance. The Salesloft Drift incident shows how deeply SaaS integrations extend into enterprise operations. One compromised vendor connection can expose critical business data across industries.
OAuth Tokens Are a High-Value Target
Attackers don’t need passwords when they can steal tokens. In this breach, OAuth tokens gave adversaries persistent access to Salesforce data, including contact details, licensing records, and support case content.
Coordinated Campaigns Are Rising
UNC6395, the suspected threat actor, executed a highly organized campaign. They targeted secrets such as AWS keys, Snowflake tokens, and CRM data across more than 700 organizations. This wasn’t opportunistic—it was systemic.
Customer Trust Is the Real Target
When attackers exfiltrate data from SaaS platforms, they don’t just expose systems—they expose relationships. For companies like Zscaler, the fallout isn’t limited to compliance filings. It creates a ripple effect across customer confidence, renewals, and reputation.
How Organizations Can Respond
- Treat OAuth Tokens Like Crown Jewels
Every SaaS integration token should be monitored, rotated, and revoked at the first sign of compromise. Unlike passwords, tokens are rarely reset, making them a stealthy entry point for attackers. - Elevate SaaS Vendor Risk Management
Vendor questionnaires aren’t enough. Continuous monitoring of high-permission integrations like Drift and Salesforce is essential to see what’s really happening inside connected systems. - Strengthen SaaS Access Controls
Zero Trust principles matter most when SaaS platforms hold your customer data. Enforce MFA, least privilege, and tighter segmentation across all SaaS connections. - Harden Customer-Facing Channels
With exposed contact data in circulation, attackers will pivot to phishing and social engineering. Strengthen authentication and monitoring in support and customer success workflows before they become the next entry point.
How Carson & SAINT Helps Close SaaS Supply-Chain Gaps
Carson & SAINT has been securing critical industries since 1998, and today’s SaaS ecosystems are no exception. We help organizations reduce risk from SaaS supply-chain compromises with:
- Third-Party Risk Assessments that uncover overlooked SaaS integrations and hidden token exposures.
- Penetration Testing for SaaS ecosystems that simulate token theft, data exfiltration, and lateral movement.
- Vulnerability Risk Management (VRM) that filters SaaS findings by business impact, so teams can focus on what truly reduces breach likelihood.
- Incident Response Assessments and testing that guides token revocation, forensic review, and secure restoration when SaaS breaches occur.
We don’t just help you identify SaaS risks, we help you reduce your risk from exposure before attackers turn integrations into entry points.
Don’t Wait for the Next SaaS Supply-Chain Breach
The Salesloft Drift attack is a reminder that your perimeter now includes every SaaS token you’ve ever issued. If those tokens aren’t managed with the same care as privileged credentials, your data is already at risk.
Don’t wait until attackers take advantage of overlooked integrations. Let’s review your SaaS exposure and strengthen your defenses before the next breach puts customer trust on the line.
0 Comments