Blog
>
Surfing the Salesforce Breach Wave: What SaaS Trust Really Costs

Surfing the Salesforce Breach Wave: What SaaS Trust Really Costs

Valence Security
September 29, 2025
Time icon
5
min read
Share
Surfing the Salesforce Breach Wave: What SaaS Trust Really Costs

Summer 2025 didn’t just bring a wave of breaches—it triggered a reckoning around SaaS integration risk.

Two parallel threat campaigns emerged in quick succession:

  • One stemming from a Salesloft compromise that that cascaded into abuse of OAuth tokens that impacted hundreds of customers
  • The other was a vishing attack targeting Salesforce users with a malicious version of a legitimate app to trick users to grant access to sensitive data

While Salesforce itself wasn’t directly breached in either case, its centrality in the SaaS stack amplified the blast radius. This blog breaks down what happened, who was impacted, and what security leaders should take away from it.

Anatomy of the Drift–Salesforce OAuth Attack

What Happened

According to Mandiant’s investigation, the intrusion began in March 2025, when UNC6395 (a suspected state-aligned threat actor) gained access to Salesloft’s GitHub account. With that access, they downloaded content from private repositories, added a guest user, and established persistent workflows. Between March and June, they conducted reconnaissance across both Salesloft and Drift environments.

Eventually, the attacker accessed Drift’s AWS environment, where they obtained OAuth tokens tied to Drift customers’ Salesforce and Google Workspace integrations. These tokens were then abused and used to:

  • Query Salesforce data via SOQL
  • Export contact, case, and credential data using the Bulk API
  • Discover embedded secrets like AWS and Snowflake keys
  • Delete job logs post-exfiltration (though logs remained recoverable)

Timeline of Response

  • August 20, 2025: Salesloft and Salesforce revoked all Drift tokens and removed the app from AppExchange
  • August 28, 2025: Google confirmed broader impact, including Google Workspace integrations via Drift Email
  • September 2025: Salesloft paused its Salesforce integration and engaged Mandiant for IR and root cause analysis

Public Victims & Data Exposure

This attack impacted more than 700 organizations, including a wide range of security-sensitive companies. Confirmed and community-reported victims include: Palo Alto Networks, Cloudflare, Zscaler, Rubrik, JFrog, Tanium, Proofpoint, PagerDuty, Heap, Bugcrowd, BeyondTrust, SpyCloud, Tenable, CyberArk, Esker, Sigma, Nutanix, Megaport.

Several impacted organizations are leading cybersecurity vendors, underscoring how even security-first organizations can be compromised through SaaS integration abuse.

Strategic Insight

This wasn’t a zero-day or CVE, it was a chain of misused trust. A GitHub account compromise led to cloud persistence, which enabled the theft and misuse of OAuth tokens across Drift’s integrations.

The bigger story isn’t Drift or Salesloft. It’s that attackers increasingly exploit the paths between platforms, not the platforms themselves.

If you’re not tracking token scopes, integration paths, and SaaS-to-SaaS access, you’re not defending your actual perimeter.

The Data Loader Campaign: Silent Exfiltration via Legitimate Tools

While the Drift incident gained attention due to the significant number of impacted enterprises, a second campaign targeting Salesforce environments emerged beforehand. This one was attributed to the threat actor ShinyHunters (UNC6040) and took a more direct approach: abusing trust through social engineering.

Instead of exploiting a technical vulnerability, the attackers impersonated IT or support staff in vishing (voice phishing) calls to employees. During these calls, they guided users to install a malicious or spoofed version of Salesforce’s Data Loader tool via connected app authorization.

Once access was granted, the attacker used that OAuth-based integration to:

  • Authenticate via API-connected tooling that mimicked Data Loader
  • Query and export large volumes of Salesforce data without triggering MFA or login alerts
  • Access sensitive customer records such as contacts, support cases, and internal metadata

Notably, the OAuth tokens weren’t stolen—they were willingly granted under false pretenses, revealing how easily trusted SaaS pathways can be abused.

Organizations reportedly impacted in this campaign include: Google, Cisco, Allianz Life, Chanel, Adidas, Workday, and Pandora. While Salesforce itself wasn’t compromised, this campaign showed how legitimate admin tools can be co-opted when token-based access is compromised. It also demonstrated the downstream risk created by stale or over-permissioned tokens.

Strategic Insight

This campaign exposed a hard truth: phishing has evolved. No malware, no suspicious links—just a phone call, a familiar app name, and an unsuspecting user. With OAuth tokens granted through social engineering and overly permissive apps, attackers abused trusted Salesforce functionality by posing as legitimate integrations and acting like internal admins. Without visibility into scopes, expirations, and token provenance, organizations had no way to detect misuse. And in an increasingly interconnected SaaS ecosystem, where integrations talk to each other behind the scenes, attackers no longer need to bypass MFA… they just need to blend in.

Strategic Takeaways

These incidents weren’t about malware or infrastructure exploits. They were about trust and identity abuse. If you want to defend against the next wave, you need to:

  • Maintain a real-time inventory of all SaaS integrations, including user-installed apps and SaaS-to-SaaS connections, and monitor their access scopes and usage
  • Treat OAuth tokens as high-risk credentials: enforce expiration, rotation, and logging, and limit scopes to the bare minimum needed
  • Secure your integration supply chain by hardening GitHub and other automation platforms, and assume compromise when designing architecture… limit the blast radius of each token or app
  • Require third-party apps to support breach disclosures and emergency token revocation, so you’re not reliant on email blasts to know your exposure

Final Reflection

The modern SaaS stack is only as secure as the weakest integration. Whether it’s GitHub access that unlocks token theft, or OAuth sprawl that enables malicious Data Loader exfiltration, the new attack surface isn’t your perimeter—it’s your trust model.

If you don’t know who has access to your SaaS data, or what integrations are quietly moving data around, you might already be compromised.

Curious what risks are hiding in your SaaS stack? Schedule a complimentary risk assessment with our team.

Latest Blogs

Top Security Recommendations for SaaS Applications

Top Security Recommendations for SaaS Applications

Secure SaaS to SaaS Supply chain Today | Valence security
Read more
Cloudflare Hacked Following Okta Compromise

Cloudflare Hacked Following Okta Compromise

Secure SaaS to SaaS Supply chain Today | Valence security
Read more
Empowering SaaS Incident Response with Valence and Microsoft Sentinel

Empowering SaaS Incident Response with Valence and Microsoft Sentinel

Secure SaaS to SaaS Supply chain Today | Valence security
Read more
PlatformUse CasesResources
CompanyPartnersTrust Center
Stay Updated
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Schedule a Demo
Copyright © 2025 Valence Security | All Rights Reserved | Privacy Policy | Terms of Use |
SaaS to SaaS Supply chain security | Valence security-Close
Free SaaS Security Risk Assessment

Our SaaS Security experts will help you identify risks and recommend actions to secure your SaaS now.

Request Assessment