In August 2025, a sophisticated supply chain attack compromised Salesloft's Drift AI chatbot integration, enabling threat actors tracked as UNC6395 (GRUB1) to steal OAuth credentials and exfiltrate data from hundreds of Salesforce instances worldwide. The breach originated from a months-long compromise of Salesloft's GitHub environment between March and June 2025, which allowed attackers to pivot into AWS infrastructure and extract valid OAuth tokens used by the Drift-Salesforce integration. Between August 8-18, 2025, attackers systematically accessed customer contact information, support case data, and sensitive credentials from major enterprises including Cloudflare, Palo Alto Networks, and Zscaler. This article deconstructs the attack path, analyzes the defensive failures, and provides actionable controls to secure your SaaS supply chain.
Incident Timeline at a Glance
- March–June 2025: Threat actor UNC6395 (GRUB1) compromises Salesloft's GitHub account, downloads repository content, and establishes malicious workflows to access AWS infrastructure.
- August 8, 2025: Data exfiltration campaign begins using stolen OAuth tokens from the Drift-Salesforce integration.
- August 9: At Cloudflare, attackers conduct reconnaissance using Trufflehog secrets scanner from IP 44.215.108.109.
- August 12–17: Attackers systematically access Salesforce instances at Cloudflare, Palo Alto Networks, Zscaler, and hundreds of other organizations, exfiltrating customer contact data and support cases.
- August 17: Attackers switch to IP 208.68.36.90 and execute Salesforce Bulk API 2.0 job, extracting Cloudflare's case data in approximately three minutes.
- August 18: Active data theft period ends as victims detect anomalous API activity.
- August 20: Salesloft publicly discloses security issue in Drift application.
- August 23: Salesforce and Salesloft notify affected customers including Cloudflare.
- August 26: Google Threat Intelligence Group publicly warns of OAuth token theft and Salesforce data exfiltration.
- August 27: Salesloft engages Mandiant for comprehensive forensic investigation.
- August 28: Salesforce blocks all Drift integrations globally; Google updates threat advisory.
- September 1: Investigation confirms incident contained; Drift remains disabled while Salesloft platform integrations restored.
- September 2: Cloudflare formally notifies affected customers; threat actors launch extortion campaign demanding payment to prevent data release.
Attack Path Analysis
The breach followed a sophisticated supply chain attack pattern: GitHub → AWS → OAuth Tokens → Salesforce Data. Here's how each stage unfolded:
Stage 1: GitHub Compromise (March–June 2025)
Attackers gained persistent access to Salesloft's GitHub account using unknown initial access methods. Once inside, they downloaded content from multiple repositories and established malicious workflows. Critically, these repositories contained AWS access keys used in Salesloft's deployment processes—representing what SpecterOps calls "identities in transit" that bypass standard authentication controls.
Stage 2: AWS Pivot
Using stolen AWS credentials from GitHub, attackers assumed AWS IAM roles with permissions to access Salesloft's infrastructure. This allowed them to locate and exfiltrate OAuth tokens that Drift used to integrate with customer Salesforce instances. These tokens were already-authenticated sessions that granted the same trusted access Drift itself enjoyed.
Stage 3: Salesforce Reconnaissance & Data Theft
Armed with legitimate OAuth tokens, attackers systematically targeted Salesforce instances. Cloudflare's detailed logs reveal the attack methodology:
- August 9: Credential validation using Trufflehog secrets scanner to test stolen tokens
- August 13: Object enumeration via
/sobjects/Case/describe/endpoint to map Salesforce schema - August 14: Sizing analysis (counting Accounts, Contacts, Users) and workflow analysis through CaseTeamMemberHistory queries
- August 16: Dry-run query:
SELECT COUNT() FROM Case - August 17: Infrastructure switch to IP 208.68.36.90 and execution of Salesforce Bulk API 2.0 job, extracting complete case dataset in ~3 minutes
Stage 4: Credential Harvesting & Lateral Movement
Beyond Salesforce data, attackers searched exfiltrated records for embedded credentials including AWS keys, VPN credentials, Snowflake credentials, and API tokens. At Cloudflare alone, 104 exposed API tokens were discovered pasted in support case text fields. Attackers also stole tokens for Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI from other victims.
The Clean Source Principle Violation: This attack succeeded because security dependencies (GitHub repositories) were not as trustworthy as the objects they secured (AWS infrastructure, OAuth tokens). When the dependency was compromised, every downstream system inherited that compromise—a cascading failure through the entire trust chain.
Business Impact
While Salesforce's core platform remained uncompromised, hundreds of customer organizations experienced significant security and operational consequences:
- Data Exposure at Scale: Customer contact information, support case histories, and technical details from hundreds of Salesforce instances were exfiltrated. Prominent victims include Cloudflare, Palo Alto Networks, Zscaler, Adidas, Allianz Life, and Qantas. Many cases contained sensitive information customers pasted into support tickets including API keys, configuration details, and system logs.
- Credential Compromise: Attackers harvested embedded credentials from exfiltrated data, discovering AWS keys, VPN credentials, Snowflake passwords, and service account tokens. Cloudflare identified and rotated 104 exposed API tokens from their case data alone. Stolen authentication tokens extended to Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI across the victim base.
- Operational Disruption: On August 28, Salesforce globally disabled all Drift integrations, forcing hundreds of organizations to immediately halt chatbot operations. Drift remained offline through September while Salesloft's main platform integrations were gradually restored after forensic validation.
- Extortion Campaign: Following the breach, threat actors launched a data leak site demanding payment from victims to prevent public release of stolen information. Major organizations including Salesforce publicly stated they would "not engage, negotiate with, or pay any extortion demand."
- Incident Response Costs: Affected enterprises engaged forensic investigators, conducted emergency credential rotation programs, reviewed years of historical case data for embedded secrets, and faced regulatory notification requirements across multiple jurisdictions. Many organizations implemented weekly credential rotation schedules for all third-party SaaS integrations as an ongoing operational burden.
Six Critical Lessons from the Salesloft-Drift Breach
1. Audit and Rotate OAuth Tokens for All Third-Party Integrations
This attack succeeded because legitimate OAuth tokens were stolen and replayed. Inventory all connected apps in your Salesforce org, revoke tokens for unused or dormant integrations, and implement automated rotation schedules. Cloudflare now rotates credentials for third-party services weekly. Monitor OAuth token usage patterns and alert on API calls from unfamiliar IP addresses or geolocations.
2. Apply Least-Privilege to SaaS Integration Scopes
The Drift integration had broad access to Salesforce objects. Grant integrations only the minimum required scopes—if a chatbot needs to create cases, don't grant it access to Opportunities, Accounts, or custom objects. Regularly review and tighten permissions as vendors add capabilities. Enable Salesforce Shield's Event Monitoring to track API-level data access by connected apps.
3. Never Paste Secrets into Support Cases or Chat Tools
Cloudflare discovered 104 API tokens embedded in support case text fields after exfiltration. Train users to use secure methods for sharing credentials with vendors: temporary credential vaults, time-limited access grants, or sanitized log excerpts. Implement DLP policies that scan outbound communications for API keys, passwords, and cloud credentials before transmission.
4. Demand Vendor Supply Chain Transparency
This breach originated from compromised GitHub repositories containing AWS credentials. During vendor risk assessments, require evidence of: secure credential management (secrets vaulting, not hardcoded in repos), segregated build environments with code signing, multi-factor authentication for all DevOps accounts, and regular third-party security audits of their CI/CD pipeline. Vendors should provide supply chain attestations (SLSA framework compliance).
5. Implement Real-Time Salesforce API Monitoring
Attackers executed reconnaissance queries and bulk API extractions over multiple days before detection. Deploy SIEM integrations that ingest Salesforce Event Monitoring logs in near-real-time. Create alerts for: unusual bulk API usage, schema enumeration queries (/sobjects/*/describe/ endpoints), count queries across multiple objects, and API calls from IP addresses not associated with known integration infrastructure.
6. Prepare a SaaS Supply Chain Incident Response Plan
This incident required coordinated response across Salesforce, Salesloft, hundreds of customers, and forensic partners. Develop playbooks specifically for supply chain compromise scenarios including: immediate connected app revocation procedures, vendor communication escalation paths (security contacts, legal, executive), forensic data preservation steps (Event Monitoring log exports, field history tracking), and breach notification requirements. Test these playbooks quarterly with cross-functional teams.
Immediate Response Checklist
- Verify whether your organization used the Salesloft Drift integration during March–September 2025. If yes, assume compromise and proceed with full incident response.
- Export Salesforce Event Monitoring logs for August 8–18, 2025. Search for API activity from these known attacker IPs:
44.215.108.109,208.68.36.90. Look for bulk API queries,/sobjects/*/describe/calls, and unusual case object access. - Revoke all OAuth tokens for Drift and any other Salesloft integrations. Regenerate credentials for downstream systems that received data from Salesforce via Salesloft workflows.
- Conduct a full audit of Salesforce case history, support tickets, and custom objects for embedded credentials (search for keywords: "api_key", "password", "secret", "token", "-----BEGIN"). Rotate all discovered credentials immediately.
- Review all connected apps in Setup → App Manager. For each integration with "Modify All Data" or similar broad scopes, audit recent API usage and reduce permissions to least-privilege.
- Contact Salesloft and Salesforce support to request confirmation of your organization's exposure status and any IOCs specific to your tenant.
- Update vendor risk questionnaires to require attestation of secure credential storage practices and CI/CD pipeline security controls.
How 360 Security Group Helps Post-Incident
360 Security Group partners with organizations recovering from the Salesloft-Drift breach and hardening their SaaS supply chain posture:
- Supply Chain Threat Intelligence tracking UNC6395/GRUB1 infrastructure, IOCs from the Drift breach (including known attacker IPs and OAuth token patterns), and emerging threats to Salesforce AppExchange integrations.
- Targeted Threat Hunting across Salesforce Event Monitoring logs, searching for reconnaissance patterns (schema enumeration, bulk API usage), credential harvesting indicators, and persistence through secondary OAuth tokens.
- Security Automation Services that orchestrate OAuth token rotation workflows, connected app permission reviews, and vendor security attestation collection with automated compliance tracking.
- SaaS Breach Simulations emulating supply chain compromise scenarios—including GitHub credential theft, OAuth token replay attacks, and Salesforce bulk data exfiltration—to validate detection capabilities and response procedures.
- Vendor Security Assessments evaluating third-party ISV code security, CI/CD pipeline controls, credential management practices, and supply chain risk across your SaaS ecosystem.
The Salesloft-Drift supply chain attack demonstrates that SaaS security boundaries extend far beyond platform perimeters into vendor DevOps practices, integration trust chains, and embedded credential hygiene. Organizations that treat GitHub repositories, OAuth tokens, and support case data as critical attack surfaces will detect threats faster, contain breaches earlier, and emerge more resilient from the next supply chain compromise.