When the Vendor Is the Breach: The Salesloft Drift Lesson

Rachel Andersen··4 min read
Abstract visualization of connected cloud applications and integrations

You can do everything right — strong passwords, MFA everywhere, a well-trained workforce — and still be breached because of a chatbot you connected to your CRM eighteen months ago. That is the uncomfortable lesson of the Salesloft Drift attack, one of the most consequential supply-chain incidents of the past year.

In 2025, attackers compromised the Drift conversational-marketing integration and stole the OAuth tokens that customers had granted to connect it to their systems. With those tokens, they impersonated the trusted app and reached into the environments of more than 700 organizations — Salesforce data first, with exposure extending to Google Workspace, Slack, and cloud platforms. Google's threat-intelligence group tracked the activity as UNC6395.

What Actually Happened

The intrusion is a textbook example of how modern supply-chain attacks unfold quietly. Investigators found the attackers had access to the vendor's source-code repository for months before the visible impact. They then reached the integration's cloud environment and stole the OAuth refresh tokens customers had issued. Over a roughly ten-day window, they used those tokens to systematically query customer environments and pull data.

What did they take? Business contact records — names, titles, emails, phone numbers — and CRM objects like accounts, opportunities, and support cases. In some cases, far more sensitive material was exposed: API keys, cloud credentials, and passwords that customers had pasted into support tickets.

Why OAuth Is the New Soft Underbelly

OAuth integrations are the connective tissue of the modern SaaS stack, and that's exactly why they're dangerous. A few things make them uniquely risky:

  • Tokens bypass your front door. A stolen OAuth token doesn't need a password and often doesn't trigger MFA — it's already an authorized grant.
  • They're long-lived and invisible. Refresh tokens can persist for months, and most organizations have no inventory of which third-party apps hold which permissions.
  • Trust is inherited. When the integration is compromised, the attacker inherits all the access you granted it.

This is why the Verizon DBIR 2026 highlighted vendors and third parties as a growing weak link, and why third-party compromise has surged. You are only as secure as the least-secure app you've connected to your crown-jewel data.

The Follow-On Phishing Wave

The breach doesn't end when the data is stolen — that's when the second wave begins. Exposed contact lists, internal context, and deal details are rocket fuel for highly targeted spear phishing and social engineering. Attackers now know who you do business with, what tools you use, and what conversations are in flight, letting them craft messages that are almost impossible to distinguish from legitimate correspondence.

A vendor breach you didn't cause becomes a phishing campaign against your employees, your customers, and your partners — all impersonating relationships that genuinely exist.

How to Reduce Your Third-Party Risk

  1. Inventory every OAuth grant. Know which third-party apps can access your CRM, email, and cloud — and what scopes they hold. You can't protect access you can't see.
  2. Enforce least privilege and expiry. Grant integrations the minimum scope they need, and revoke tokens for unused or deprecated apps promptly.
  3. Never put secrets in support tickets. Train staff that API keys, passwords, and credentials must never be pasted into chat, tickets, or third-party tools.
  4. Monitor for anomalous app activity — unusual data volumes or access patterns from an integration are an early warning.
  5. Prepare your people for the follow-on phishing. After any vendor breach in your ecosystem, expect a spike in targeted lures and brief employees accordingly.

That last point is where awareness pays off. empowsec's phishing simulation and security awareness training help your team recognize consent-phishing prompts (the rogue "approve this app's access" requests that start these chains) and the convincing, context-rich spear-phishing that follows a supply-chain breach.

Key Takeaways

  • You can be breached through a vendor you trust. Salesloft Drift exposed 700+ organizations via stolen OAuth tokens from a single integration.
  • OAuth tokens bypass passwords and MFA, are long-lived, and are largely invisible without an active inventory.
  • Stolen CRM and contact data fuels a follow-on wave of targeted spear phishing against your people and partners.
  • Reduce exposure by inventorying and minimizing OAuth grants, keeping secrets out of tickets, and training staff on consent-phishing and post-breach lures.

Third-party risk is no longer a procurement checkbox — it's a live attack surface that connects directly to your human layer.

Share: