Defending Against the Salesloft Drift Breach: 7 Actions to Protect Your Salesforce and SaaS Ecosystem

The Salesloft Drift breach isn’t slowing down; it’s accelerating and growing daily. What began with targeted attacks through Drift’s Salesforce integration has quickly escalated into a full-scale campaign. Attackers are now going after any Drift connection they can find, stealing OAuth tokens, exposing downstream apps, and exfiltrating sensitive data — often without triggering a single security alert.

According to the Google Threat Intelligence Group (GTIG), hundreds of organizations could be affected based on connected integrations.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” - Google Threat Intelligence Group

Further, “We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access,” the Google Threat Intelligence Group (GTIG) said in its post.

How Widespread Is the Salesloft Drift Breach Impact Radius?

While Drift may represent only ~2% of the live chat market, its real footprint is far bigger. Tens of thousands of businesses use the platform, many tightly integrated with Salesforce and other critical SaaS applications. That deep connectivity makes Drift’s ecosystem a high-value target and explains why this campaign has such an unusually large breach radius.

Compromised OAuth tokens don’t just unlock chatbot data; they can expose customer records, API-connected services, and downstream SaaS apps linked through Drift. This turns what might look like a single vendor incident into something closer to a supply chain compromise.

GTIG recommends that affected organizations expand their investigation beyond Drift itself including Salesforce environments connected via OAuth, and third-party integrations sharing data or tokens with Drift.

This is why the blast radius is so significant: a single compromised integration can silently expose dozens of other connected environments, even without a direct breach of those systems.

How to Check Your Risk and Prevent a Similar Salesloft Drift Breach

Because this attack exploits OAuth tokens and trusted integrations, risk isn’t limited to Drift itself; it can extend into Salesforce and any connected systems. Here’s how to determine if your organization is at risk and what actions to take now.

1. Review Your OAuth Integrations  

• Log into your Salesforce environment and review all authorized OAuth apps.

• Look specifically for Salesloft Drift connections and review the scopes granted to them.

• Treat any Drift integration as potentially compromised.

2. Audit Drift-Connected Activity

• Check Drift’s integration logs for unusual OAuth approvals or data requests.  

• Watch for anomalies, including:

• Unexpected bulk data exports

• Unrecognized connected apps

• Abnormal API calls originating from Drift

3. Investigate Salesforce Logs for Abnormal Access

• Review Salesforce login and API activity associated with Drift-issued OAuth tokens.

• GTIG notes attackers are blending into normal traffic, so look for subtle indicators like:

• Unusual user behavior patterns

• Unusual query volumes

• Requests made outside business hours

• API calls from unknown IP ranges

4. Cross-Check Other Connected Systems

• This attack isn't limited to Salesforce. Attackers are going after any application connected to Drift.

• Review any third-party SaaS apps connected to Salesforce via OAuth grants, including Google Workspace, Slack, Snowflake, or AWS.

• Investigate those environments for unexpected data requests or elevated permissions.

5. Revoke and Rotate OAuth Tokens Immediately

• Even if you find no signs of suspicious activity, GTIG recommends revoking all Drift-related OAuth tokens immediately.

• Do not re-authenticate Drift until your investigation is complete and GTIG or Salesloft Drift provides confirmation that the threat has been contained.

6. Continuously Audit and Restrict Overly-Permissive SaaS Integrations

• Maintain a live inventory of all connected apps and OAuth tokens, their scopes, and their capabilities.

• Enforce least-privilege OAuth scopes, proactively evaluate new app integrations, where the authorization originated, and proactively revoke unnecessary or risky permissions.

• Automate OAuth scope management and cleanup, ensuring departing users’ permissions are revoked to prevent lingering tokens.  

7. Enhance SaaS Monitoring with Behavior Analytics

• Focus on OAuth activity monitoring, integration visibility, and behavioral anomaly detection rather than relying on SaaS audit logs, which are often incomplete.

• Watch for shifts:

• Newly authorized third-party apps

• Unusual spikes in data transfers

• Sudden permission changes

How Grip Can Help

If your organization is working through these steps, you don’t have to do it alone. Grip Security can help you evaluate your risk, identify exposure, and close gaps quickly, then strengthen your defenses for the long term.

Once your immediate risk is addressed, Grip gives security teams the visibility and control they need to stay ahead of OAuth-based attacks and other SaaS threats:

• Automatic Integration Discovery. Uncover every SaaS app and OAuth connection, including shadow integrations that security teams often miss.

• Continuous OAuth Monitoring. Identify risky OAuth scopes, unused permissions, and abnormal token usage in real time.

• Behavioral Analytics. Detect anomalies like  suspicious OAuth grants.

• One-Click Remediation. Revoke risky tokens, tighten OAuth scopes, and contain lateral movement before attackers can spread.

Act Now — Even If You Haven’t Seen Signs of Compromise

Right now, it’s the big enterprises making headlines: major Salesforce customers, large SaaS environments, and organizations with mature security programs. But those headlines can be misleading.

Larger companies are surfacing these incidents sooner because they have the processes to detect malicious activity faster and are often required to report breaches within specific timeframes. For smaller organizations, the risk is just as real, and in some cases, the compromise may already have occurred but hasn’t been detected yet.

The Salesloft Drift breach is still unfolding, and the list of affected organizations continues to grow as attackers exploit OAuth tokens and move laterally through connected environments. Swift action is critical, even if you haven’t yet seen signs of unusual activity.  

Grip is here to help. Whether you need support working through the investigation steps, evaluating your risk, or closing security gaps before attackers move further, our team can guide you through it and give you the visibility and control you need to stay ahead of future attacks. Book a confidential call now.