In recent weeks, major companies like Palo Alto Networks, Zscaler, Cloudflare, and SpyCloud have all confirmed they were affected by a string of cyberattacks that began with Salesforce. Or at least, that is how the headlines read.

This is not a case of Salesforce being hacked. Nor is it a flaw in any single product. What is unfolding is a sophisticated exploitation of how companies use third-party apps, especially those embedded in their cloud services. In this case, the breach began with an integration called Drift, a chatbot platform built by Salesloft and widely connected to Salesforce CRM systems.

The attackers never broke into Salesforce directly. Instead, they compromised the bridge that companies had built between Salesforce and Drift. That distinction matters because it highlights the growing risks of authorized access.

How Did the Story Unfold?

On August 20, Salesloft disclosed that attackers had gained access to OAuth tokens used by Drift to connect into client Salesforce environments. Those tokens gave the attackers legitimate entry into the Salesforce data of any company where Drift had been authorized. This allowed them to query contact records, support case metadata, internal documentation, and more.

The threat group, identified by Google’s Threat Intelligence team as UNC6395, went even further. Once inside, they searched for cloud credentials such as AWS keys, Snowflake access tokens, and other integrations that might let them pivot into more sensitive environments.

The attackers operated quietly for at least 10 days before Drift access was revoked. During that time, OAuth tokens gave them privileged, persistent access with very few red flags.

Why Isn’t This a Salesforce Breach?

Salesforce itself was not compromised. No vulnerabilities in the Salesforce platform were exploited. Instead, attackers used the normal OAuth process that companies rely on to allow third-party apps to communicate with their cloud systems.

What changed was who controlled the token.

Once Drift was authorized and the token issued, it acted as a key. That key was supposed to stay with Drift. When attackers stole it, they did not need to break into Salesforce. They simply used the access that had already been granted.

Supply Chain Exposures in SaaS Ecosystems

Supply chain exposures in SaaS ecosystems are squickly becoming one of the most effective ways to target even the most secure organizations.

The core issue is that third-party apps like Drift are often integrated without centralized oversight. In large enterprises, teams across marketing, sales, support, and engineering may each authorize tools independently. These tools are often granted access to platforms such as Salesforce, Microsoft 365, or Google Workspace.

Once access is granted, it is rarely reviewed. Drift may have been installed months or even years before the breach occurred. And most organizations lack visibility into how the token is used across teams, vendors, and business units.

The Irony of Security Giants Getting Hit

The irony of seeing companies like Palo Alto Networks, Zscaler, and Cloudflare on the victim list is not lost on anyone. These are firms with top-tier cybersecurity teams.

But even the best detection cannot stop what is not visible. OAuth abuse does not rely on malware or known exploits. It does not trigger antivirus or firewall alerts. It mimics legitimate activity because, technically, that is exactly what it is. It bypasses traditional defenses by using the access your teams granted themselves.

What Should Companies Do Now?

Salesforce responded by revoking Drift’s access and removing it from AppExchange. Salesloft brought in Mandiant to investigate. Drift remains offline across many customer environments.

Meanwhile, affected organizations are reviewing integrations, rotating credentials, and trying to assess how far the attackers got, but the incident has already revealed a deeper gap across the industry. Most organizations do not have a coordinated plan for what to do when a trusted integration becomes a threat.

There is no fast way to identify who approved the integration, what access it had, or how broadly it was used. That delay increases the risk of lasting damage.

The post Behind the Salesforce OAuth Drift Breach appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/behind-the-salesforce-oauth-drift-breach/