Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Register for DataSecAI 2025 in Dallas – Protect Data, Secure AI, and Drive Innovation

The Salesloft Drift OAuth Supply-Chain Attack: Cross-Industry Lessons in Third-Party Access Visibility

Published 09/25/2025

Home
Industry Insights
The Salesloft Drift OAuth Supply-Chain Attack: Cross-Industry Lessons in Third-Party Access Visibility
Written by Harpal Harika.

Abstract

The August 2025 Salesloft Drift breach demonstrates a systemic security blind spot across all industries: third-party delegated access through OAuth integrations. Over 700 organizations — including financial institutions, technology companies, healthcare providers, and government agencies — experienced data exposure, not through their own systems being compromised, but through the theft and misuse of OAuth tokens granted to a trusted third-party application.

From a financial services perspective, the breach triggered immediate concerns over compliance (GLBA, SOX, PCI DSS, GDPR, CCPA). But the lesson is broader: any enterprise that grants broad, persistent permissions to third-party apps is exposed when those vendors are compromised.

breach visualization

 

What Happened

  • Initial foothold: Attackers gained access to Salesloft’s GitHub environment (March–June 2025), creating unauthorized guest accounts and workflows. This persistence reflected a failure of continuous identity governance in their developer platforms.
  • Token theft: In August, attackers accessed Drift’s AWS environment and stole OAuth refresh tokens issued by customers to enable Drift integrations.
  • Exploitation: From August 8–18, attackers used the tokens to query customer environments. While Salesforce was the primary target, integrations with Google Workspace, Slack, and cloud platforms were also exposed.

 

Why Detection Failed

Traditional monitoring failed because the activity originated from a trusted, pre-approved integration. OAuth tokens made attacker queries indistinguishable from legitimate chatbot activity. Enterprises could see that Drift had access, but not what it was actually doing with that access.

This blind spot (trusted apps inheriting trust without visibility) is what distinguishes the Drift incident from earlier supply chain attacks like Snowflake, SolarWinds, or Kaseya. No human credentials were exposed, no malware was deployed, and no suspicious new processes appeared. Instead, attackers exploited the trust relationship itself.

Looking ahead, Agentic AI systems will significantly amplify these types of risks as adoption accelerates. Since AI agents will autonomously operate across multiple SaaS and cloud integrations, their activity will carry the same implicit trust — and the same lack of visibility — as Drift’s did.

 

Governance Gaps and Lessons Learned

This incident revealed systemic weaknesses in how enterprises govern third-party access. These gaps in permissions management, lifecycle reviews, and monitoring created conditions where a trusted integration could be abused without detection. The following lessons highlight where governance practices must evolve.

 

1. Broad Scopes by Default

Drift’s Salesforce integration was granted expansive access far beyond chatbot needs. When attackers stole tokens, they inherited this excessive privilege.

Lesson: If a third-party app requires broad scopes, push back during Third-Party Risk Review. Enforce the principle of least privilege.

 

2. No Lifecycle Reviews

OAuth grants are often treated as “set it and forget it.” Permissions remain active long after business needs change.

Lesson: Just like user access reviews, app permissions must be reviewed regularly to confirm the integration is still needed and scopes remain aligned.

 

3. Limited Monitoring of Delegated Access

Direct user access is monitored, but delegated app access typically is not. This blind spot allows attackers to operate undetected once tokens are stolen.

Lesson: Zero Trust requires continuous verification. Make sure to:

  • Enforce short-lived tokens with frequent rotation.
  • Continuously monitor token behavior (volume, timing, location).
  • Treat anomalies as trust violations — e.g., a bulk Salesforce export at unusual hours from a chatbot integration.

 

Immediate Action Items for CISOs

Organizations cannot wait for vendors to solve the third-party trust problem. CISOs must take immediate, practical steps to reduce exposure, strengthen monitoring, and embed governance into existing security programs. The following actions provide a starting point for rapid risk reduction.

  • Audit OAuth Integrations: Inventory all current OAuth integrations for critical systems and document the scopes granted.
  • Reduce & Track Permissions: Immediately reduce the scope of permissions for third-party applications where possible. For integrations that cannot be remediated now, maintain a remediation plan to ensure they are tracked and addressed.
  • Enhance Monitoring: Deploy monitoring tuned to detect anomalies in data volume, timing, and excessive use of permissions across third-party applications.
  • Integrate Governance: Embed OAuth scope reviews and lifecycle reviews into your Identity Governance and Access Management (IGA) procedures, treating third-party apps like privileged accounts.
  • Engage Vendors: Proactively inquire with critical vendors whether they use Salesloft Drift, determine if they are impacted by the breach, and request details of their mitigation actions.
  • Extend to AI Agents: Apply these same principles to Agentic AI systems if your organization is adopting them. Treat AI agents as high-trust integrations, with least-privilege scopes, lifecycle reviews, and continuous behavioral monitoring from day one.

 

Conclusion

The Salesloft Drift incident marks a shift in supply chain attacks by abusing trusted integrations via OAuth tokens. Victims could not detect the breach because all activity flowed through a pre-approved app.

This changes the supply chain security conversation. Enterprises must extend Zero Trust, identity governance, and monitoring disciplines to third-party integrations. Vendors must be held accountable for exposing OAuth activity and limiting scope requests. CISOs must prepare now for the coming wave of Agentic AI systems, where autonomous agents will magnify the same trust and visibility challenges.

The takeaway: Third-party trust can no longer be assumed. It must be earned, continuously verified, and governed as rigorously as internal privileged accounts.

 

References

 

Disclaimer

This analysis is based on publicly available information as of September 2025. Details of the Salesloft–Drift incident and related supply-chain attacks may change as investigations continue. The observations and recommendations are provided for general awareness and discussion only; organizations should perform their own due diligence and apply guidance in light of their specific risks, regulatory obligations, and vendor relationships.

The author affirms that the research, analysis, and conclusions are original. AI tools were used only for language refinement, formatting, graphics, and supplementary research support; the intellectual content is solely the work of the author.

About the Author

Harpal Harika, Chief Information Security Officer at REPAY, is a cybersecurity thought leader guiding enterprise security, risk, and compliance programs. He specializes in cloud security, AI, and identity governance, and advises startups and boards on resilience, innovation, and secure innovation.

Zero TrustIdentity and Access ManagementData SecurityComplianceRisk Management

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Take the Unstructured Data Security Survey
Register for the AI Agent Security Summit in San Francisco
Open Peer Review: Key Management in Cloud Services 2025
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
From Retail Floors to Virtual Cores: ESXi Is the Next Attack Vector in Retail

Published: 09/25/2025

Introducing the SaaS Security Capability Framework (SSCF) v1.0: Raising the Bar for SaaS Security

Published: 09/24/2025

What is Protected Health Information (PHI)?

Published: 09/24/2025

Controls vs. Key Security Indicators: Rethinking Compliance for FedRAMP

Published: 09/23/2025