The cybersecurity industry recently learned how unforgiving weak authorization implementations can be when exploited. Between August 8 and 18, threat actor UNC6395 group systematically exploited compromised OAuth tokens from Salesloft's Drift AI chatbot to breach over 700 Salesforce instances, where they stole AWS credentials, Snowflake tokens, and sensitive customer data from major enterprises, including Cloudflare, Zscaler, and Palo Alto Networks.
For enterprise security teams already struggling with SaaS sprawl and third-party risk management, the Drift breach is a reminder that OAuth tokens—designed to enhance security by eliminating password sharing—are high-value targets. Unfortunately, because attackers have mastered the exploitation of the trust relationships between integrated SaaS services, these types of attacks are common. Because of the interconnected nature of these services, the importance of proper token management and API security practices can't be stressed enough," said Andrew Storms, VP of security at commercial software distribution platform Replicated.
Deep dive: the Salesloft Drift attack
UNC6395, also tracked as GRUB1, utilized Python automation tools with asynchronous libraries to query Salesforce APIs, mapping organizational data systematically before extraction. They employed SOQL (Salesforce Object Query Language) to count records across critical objects, including Accounts, Contacts, Cases, and Opportunities, creating a comprehensive inventory before beginning their mass data theft.
The threat actors clearly understood both Salesforce's architecture and standard enterprise security practices. They specifically targeted embedded credentials within support cases and custom fields, harvesting AWS access keys identifiable by the "AKIA" prefix, Snowflake authentication tokens, and VPN credentials that organizations had inadvertently stored in their CRM systems. To evade detection, the attackers deleted query jobs after execution, though Salesforce's event logs ultimately preserved evidence of their activities.
Google Threat Intelligence Group's analysis revealed that UNC6395 had systematically compromised Drift's OAuth and refresh tokens, enabling persistent access to connected Salesforce instances without triggering multi-factor authentication or traditional security controls. The attack's success wasn't in exploiting technical vulnerabilities, but in weaponizing the legitimate trust relationships that modern businesses depend upon for business operations.
Salesloft's Response
Salesloft's handling of the incident revealed critical gaps in both detection capabilities and crisis communication. The company first disclosed the security incident on August 20, 2025—at least 12 days after the attack began—with a notably vague advisory that described detecting "a security issue" without acknowledging active data exfiltration.
Salesloft coordinated effectively with Salesforce on immediate containment measures. On August 20, both companies collaborated to revoke all active OAuth and refresh tokens associated with the Drift application, while Salesforce removed the Drift app from the AppExchange marketplace. However, hundreds of organizations were already hit.
As the initial disclosure lacked urgency and specificity, customers were left uncertain about the scope and severity of the incident. Only after Google Threat Intelligence Group published a detailed analysis on August 26 did Salesloft acknowledge that the incident extended beyond Salesforce integrations, recommending that customers "treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised."
WideField.ai reported communication failures where security teams weren't notified because Salesloft only had marketing contacts on file, highlighting inadequate incident response processes. As the story evolved from a Salesforce-specific impact to a broader token compromise, it raised questions about the completeness of the initial investigation.
On September 7, Salesloft announced they were taking the entire Drift platform offline, stating this would "provide the fastest path forward to comprehensively review the application and build additional resiliency." While this represented a comprehensive response, it came nearly a month after the attack began, leaving many wondering why decisive action wasn't taken earlier.
Critical security failures
The Drift breach succeeded because of fundamental weaknesses in its OAuth token implementation. Such weaknesses affect many SaaS providers. Notably, long-lived tokens without rotation created persistent access that attackers could exploit for weeks without detection. Unlike user sessions that expire regularly, OAuth tokens often persist indefinitely, creating long-term risk exposure.
"Organizations must implement better practices around token and credential management," said Leo Magallon, CISO at emissions management platform provider Stepwise. "That includes restricting API access to specific apps and IP addresses, implementing multi-factor authentication for APIs, and limiting token usage to authorized applications and connections," Magallon added.
Salesloft's lack of IP restrictions proved particularly damaging. Okta successfully blocked similar attacks because it had implemented inbound IP restrictions that prevented unauthorized access from foreign IP addresses. This single control could have blocked the entire UNC6395 campaign against properly configured organizations.
The absence of Proof of Possession (DPoP) implementation represented another critical oversight. DPoP cryptographically binds access tokens to specific clients, preventing stolen tokens from being replayed by attackers using different systems. Over-permissive OAuth scopes enabled extensive data access once tokens were compromised, violating the principle of least privilege that should govern all integration permissions.
Real-time monitoring failures allowed systematic data exfiltration to continue undetected. The attackers used distinctive Python automation tools with identifiable user-agent strings that should have triggered immediate alerts. Modern OAuth implementations require behavioral analytics for API access patterns and automated detection of bulk data operations to identify such systematic abuse. "And there needs to be a way to cut off connections to potentially compromised tenants quickly," Magallon added.
Platform provider prescriptions
SaaS platforms must fundamentally rethink their OAuth security architectures to limit token utility for attackers. Short-lived access tokens with lifespans of 15-60 minutes maximum should become standard, forcing regular re-authentication that limits attack windows. Refresh token rotation ensures that each token use generates a new refresh token, enabling detection of replay attacks when multiple clients attempt to use the same credentials.
Implementing DPoP (Demonstration of Proof of Possession) represents the most effective defense against token replay attacks. By binding tokens to specific cryptographic keys, platforms can ensure that stolen tokens cannot be used by attackers who lack the corresponding private keys. This transforms bearer tokens into proof-of-possession tokens that resist the attack methods used by UNC6395.
Granular permissions that follow least-privilege principles must be enforced across integrations. Applications should receive only the minimum permissions necessary for their intended functionality, with explicit justification required for elevated access levels. IP restrictions and geolocation-based access controls can prevent token usage from unexpected regions or unauthorized network locations.
Advanced monitoring capabilities, including machine learning-based behavioral analysis, can identify subtle attack patterns that evade traditional rule-based systems. Real-time analysis of API call volumes, query patterns, and data export activities can detect systematic abuse within hours rather than days. User-agent string analysis and automated tool detection can identify non-standard access patterns characteristic of automated attacks.
Enterprise defense strategies
There are many lessons here for enterprises. Organizations should consider implementing multiple layers of preventive controls to reduce exposure to OAuth token theft attacks. IP restrictions on connected apps represent one of the most effective defenses, ensuring that tokens can only be used from predetermined network locations. Device-based conditional access policies restrict SaaS access to managed, compliant devices with current security patches and endpoint detection capabilities.
Centralized OAuth app approval processes prevent end-users from independently authorizing third-party applications with excessive permissions or inadequate security controls. Organizations should implement explicit approval workflows that require the security team to review OAuth scopes and vendor security assessments.
Security Access Broker and SaaS Security Posture Management platforms and tools provide essential visibility into third-party integrations and can detect suspicious OAuth token usage patterns. These platforms monitor for unusual data access patterns, bulk exports, and API usage inconsistent with normal application behavior.
Regular OAuth permission audits and automated alerts for permission escalations help identify potential compromises. Data Loss Prevention integration can identify when sensitive credentials or secrets are accessed or exported from SaaS platforms, as proved crucial in determining the embedded AWS keys and database credentials that were primary targets in the Drift incident.
Ultimately, added Magallon, enterprise application owners must take primary responsibility for their data security — as is called upon in the shared responsibility model — and proactively monitor and respond to potential security breaches, as well as keep up to date on threat intelligence, security alerts, and software patches.
The key, he said, is creating multiple layers of security that make it harder for unauthorized access, while maintaining the functionality of the systems.
Maintaining the "functionality" of the systems is often more challenging than many may suspect, said Wim Remes, principal consultant at cybersecurity services provider Toreon. "While OAuth originally had an authorization focus, it is largely 'abused' for authentication purposes only, and security and usability rarely become friends in complex ecosystems. Obviously, when your application or service requires access to data because your service is data hungry, limiting the access scope will directly impact functionality. This leads to overly permissive integrations, with the Salesloft debacle as a direct result," said Remes.
The Drift breach represents a watershed moment for SaaS security, demonstrating that the interconnected nature of modern cloud environments creates both unprecedented capabilities and unprecedented risks. Organizations can no longer rely solely on securing their primary SaaS platforms; they must assess and monitor the security posture of all integrated third-party applications and services.
The incident highlights the urgent need for industry-wide adoption of advanced OAuth security standards, including DPoP, certificate-based authentication, and comprehensive token lifecycle management. As threat actors increasingly target the OAuth-enabled SaaS ecosystem, platforms and enterprises that proactively implement these security measures will be better positioned to defend against the next generation of supply chain attacks.
The cost of inadequate OAuth security extends beyond individual organizations to entire business ecosystems built on trusted integrations. For cybersecurity leaders, the Drift breach serves as a reminder to invest in SaaS-native security tools, implement zero-trust architectures for cloud integrations, and develop incident response capabilities designed explicitly for the interconnected threats facing modern enterprises.
