Inside the Salesloft Breach: The New Wave of OAuth-Driven Salesforce Attacks

The spotlight has finally swung toward the integration layer, and what’s emerging should worry every SaaS security leader.

Another Salesforce breach. But this one isn’t just another credential theft story; it’s more calculated. Attackers didn’t just gain access; they systematically exported sensitive data from hundreds of Salesforce instances. However, because the initial compromise involved OAuth tokens, not credentials, attackers bypassed logins, slipped past MFA, and operated undetected until the data was long gone.

“A threat actor used OAuth credentials to exfiltrate data from our customers' Salesforce instances." - Salesloft statement

This wasn’t an isolated incident. It’s the latest chapter in a larger campaign targeting Salesforce customers through OAuth token abuse.  These tokens, essentially the skeleton keys of SaaS identity, were used to slip past login screens, bypass MFA, and harvest data directly from Salesforce environments. No alerts. No credential stuffing. Just quiet, large-scale exfiltration.

A Different Class of Data Breach

Compare this to the Workday breach we recently covered. That attack leaned on social engineering. Phone calls, impersonation, phishing for contact data. The kind of breach we’ve seen before.

But the Salesloft incident? It signals a shift. This wasn’t about tricking users, but exploiting the connection and permissions between applications. Specifically, attackers exploited the OAuth token between Salesloft and Salesforce, which was granted through a Drift chatbot integration. That token, once issued, became a master key used to quietly unlock Salesforce data across multiple tenants. No phishing required. Just a compromised integration and an exposed token.

OAuth flows exist for convenience, but they’re rarely scrutinized until they’re abused. Salesloft wasn’t the end target. Salesforce was. The Salesloft-Drift integration provided the bridge. That’s the playbook now: compromise a less-guarded app, hijack its tokens, and move laterally into high-value platforms like Salesforce.

"The rule is simple: monitor the tokens. If Salesforce OAuth grants and scopes aren’t inventoried and watched, one overprivileged integration becomes a quiet, ongoing leak." -Ben Robertson, Principal Identity Architect

Takeaways from the Salesloft Breach

Most SaaS security conversations focus on the apps themselves: securing user accounts, detecting misconfigurations, enforcing MFA. But let's not overlook the exposure often lies between the apps, hidden in integrations, permissions, and trust relationships. OAuth tokens don’t expire when employees leave. They don’t always show up in centralized logs. And they can persist for months or years, quietly granting unauthorized access to sensitive data.

The rise of these attacks points to a blind spot. It's not just about shadow SaaS anymore. It's about shadow integrations: the connected web of app relationships that no one is monitoring. Sales teams connect Drift to Salesforce. Marketing layers in analytics tools. Customer support installs help desk apps. One misconfigured integration, one breached app, and your Salesforce tenant becomes the exit ramp for exfiltration.

This Isn’t Just a Salesforce Problem

The tactic is spreading. Anywhere OAuth is used, and that's virtually every modern SaaS platform, is vulnerable. Attackers know that compromising a user is hard. Compromising a token buried inside a SaaS integration? Much easier. And far less visible.

The cloud access plane is being reshaped in real time. And while organizations scramble to plug holes and revoke tokens, the more fundamental issue remains: too many integrations, too little oversight, and far too much implicit trust.

Preventing a Similar Breach in Your Organization

It’s time to expand the SaaS security conversation beyond user-to-app relationships and include app-to-app trust chains. That means:

• Inventorying all OAuth-based integrations, even the obscure ones.

• Revoking unused tokens and regularly rotating active ones.

• Monitoring token usage patterns, especially for lateral access into sensitive platforms like Salesforce.

• Applying least privilege principles to apps, not just users.

Without visibility into these trust chains, attackers can—and will—move silently between apps. The Salesloft breach is proof.

How Grip Helps

Grip automatically discovers every SaaS integration, including misconfigured connections and risky OAuth scopes, and continuously monitors token use across environments. If an integration is compromised or misused, Grip detects suspicious activity, flags risky tokens, and enables one-click remediation. This level of control is what stops an OAuth breach from becoming a data exfiltration event.

Don’t Wait for the Next OAuth Breach

We’re past the era of simple phishing attacks. Today’s adversaries understand SaaS identity gaps and OAuth permissions better than most defenders. They’re bypassing endpoints, moving laterally through integrations, and exploiting trust relationships organizations don’t even know exist. And if you’re not watching that path, you won’t see the breach coming.

Book time with our team to learn how Grip gives you visibility into your hidden OAuth risks and stops integration-driven data breaches before they happen.

‍

Related Content

Workday Breach Joins a Growing Wave: Why the Second Half of 2025 is a Hacker's Playground

How a Fake Salesforce App Breached Google and 30+ Global Brands

Strengthening your defenses with ITDR

‍

‍