Connected App, Connected Risk: The Salesforce–Drift Incident

A single weak app integration opened the door for attackers to raid data from some of the world’s largest companies. Salesforce environments were hit hardest—with victims like Cloudflare, Palo Alto Networks, and Zscaler—but the blast radius also reached other SaaS platforms, including Google Workspace. In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down the Salesforce–Drift breach: how OAuth tokens became skeleton keys, why media headlines about billions of Gmail users were wrong, and what organizations need to do to protect themselves from similar...

A single weak app integration opened the door for attackers to raid data from some of the world’s largest companies. Salesforce environments were hit hardest—with victims like Cloudflare, Palo Alto Networks, and Zscaler—but the blast radius also reached other SaaS platforms, including Google Workspace. In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down the Salesforce–Drift breach: how OAuth tokens became skeleton keys, why media headlines about billions of Gmail users were wrong, and what organizations need to do to protect themselves from similar supply chain attacks. 

Key Takeaways 

• Ensure Vendors Conduct Rigorous Technical Security Testing – Require penetration tests and attestations from third- and fourth-party SaaS providers. 

• Limit App Permissions to “Least Privilege” – Scope connected apps only to the fields and objects they truly need. 

• Implement Regular Key Rotation – Automate key rotation with vendor tools (e.g., AWS recommends every 60–90 days) to reduce the risk of leaked or stolen keys. 

• Monitor for Data Exfiltration – Watch for unusual queries, spikes in API usage, or large Bulk API jobs. 

• Limit Data Exfiltration Destinations – Restrict where exports and API jobs can go (approved IPs or managed locations). 

• Integrate SaaS Risks into Your Incident Response Plan – Include guidance on rapidly revoking or rotating OAuth tokens and keys after a compromise. 

 

References 

1. Google Threat Intelligence Group advisory on UNC6395 / Drift OAuth compromise 
2. Cloudflare disclosure on the Drift incident 
3. Zscaler security advisory on Drift-related Salesforce breach 
4. LMG Security Blog – Third-Party Risk Management Lessons 

#Salesforcehack #SalesforceDrift #cybersecurity #cyberattack #cyberaware