Defending Against the Salesloft Drift Breach: 7 Actions to Protect Your Salesforce and SaaS Ecosystem

The Salesloft Drift breach isn’t slowing down; it’s accelerating and growing daily. As the investigation matured, the core exfiltration window has been narrowed to mid-August, with disclosures still surfacing as impacted organizations complete their forensics. What began with targeted attacks through Drift’s Salesforce integration has quickly escalated into a full-scale campaign. Attackers are now going after any Drift connection they can find, stealing OAuth tokens, exposing downstream apps, and exfiltrating sensitive data — often without triggering a single security alert.

According to the Google Threat Intelligence Group (GTIG), hundreds of organizations could be affected based on connected integrations. GTIG also emphasized that Gmail itself was not broadly compromised; exposure was limited to certain Google Workspace accounts that had enabled the Drift integration, and Google revoked the affected tokens and disabled that integration.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” - Google Threat Intelligence Group

Further, “We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access,” the Google Threat Intelligence Group (GTIG) said in its post.

How Widespread Is the Salesloft Drift Breach Impact Radius?

While Drift may represent only ~2% of the live chat market, its real footprint is far bigger. Tens of thousands of businesses use the platform, many tightly integrated with Salesforce and other critical SaaS applications. That deep connectivity makes Drift’s ecosystem a high-value target and explains why this campaign has such an unusually large breach radius.

Compromised OAuth tokens don’t just unlock chatbot data; they can expose customer records, API-connected services, and downstream SaaS apps linked through Drift. This turns what might look like a single vendor incident into something closer to a supply chain compromise.

It’s also important to clarify this was not a breach of the Salesforce core platform; Drift was a third-party integration pathway.

GTIG recommends that affected organizations expand their investigation beyond Drift itself including Salesforce environments connected via OAuth, and third-party integrations sharing data or tokens with Drift. In parallel, Salesforce moved to disable Drift application instances across its platform and removed the app’s AppExchange listing as part of containment.

This is why the blast radius is so significant: a single compromised integration can silently expose dozens of other connected environments, even without a direct breach of those systems. Recent victim updates span multiple cybersecurity and technology vendors, reinforcing the supply-chain nature of the event and the likelihood of targeted phishing using exposed CRM contact data.

The Salesloft Drift breach explained: Watch an industry briefing on how token reuse turned one integration into a multi-tenant breach path, and what controls stop it.

How to Check Your Risk and Prevent a Similar Salesloft Drift Breach

Because this attack exploits OAuth tokens and trusted integrations, risk isn’t limited to Drift itself; it can extend into Salesforce and any connected systems. Here’s how to determine if your organization is at risk and what actions to take now.

1. Review Your OAuth Integrations  

• Log into your Salesforce environment and review all authorized OAuth apps.

• Look specifically for Salesloft Drift connections and review the scopes granted to them.

• Treat any Drift integration as potentially compromised. If present, document exact scopes, token lifetimes, and last-used timestamps before revocation to support forensics.

2. Audit Drift-Connected Activity

• Check Drift’s integration logs for unusual OAuth approvals or data requests.  

• Watch for anomalies, including:

• Unexpected bulk data exports

• Unrecognized connected apps

• Abnormal API calls originating from Drift (especially sudden increases in API queries or token refreshes.)

3. Investigate Salesforce Logs for Abnormal Access

• Review Salesforce login and API activity associated with Drift-issued OAuth tokens.

• GTIG notes attackers are blending into normal traffic, so look for subtle indicators like:

• Unusual user behavior patterns

• Unusual query volumes

• Requests made outside business hours

• API calls from unknown IP ranges (and Bulk API 2.0 jobs followed by job deletion, which was observed in real-world cases.)

4. Cross-Check Other Connected Systems

• This attack isn't limited to Salesforce. Attackers are going after any application connected to Drift.

• Review any third-party SaaS apps connected to Salesforce via OAuth grants, including Google Workspace, Slack, Snowflake, or AWS.

• Investigate those environments for unexpected data requests or elevated permissions. Correlate app/client IDs across platforms to find the same integration operating in multiple SaaS.
• Hunt and remediate secrets in support data. Search Salesforce Case, CaseComment, and EmailMessage text, and download and scan ContentVersion attachments for leaked credentials (e.g., API keys, AWS/Snowflake tokens). Rotate anything found. Several organizations have reported rotating tokens discovered inside case text during post-incident reviews.

5. Revoke and Rotate OAuth Tokens Immediately

• Even if you find no signs of suspicious activity, GTIG recommends revoking all Drift-related OAuth tokens immediately.

• Do not re-authenticate Drift until your investigation is complete and GTIG or Salesloft Drift provides confirmation that the threat has been contained.

6. Continuously Audit and Restrict Overly-Permissive SaaS Integrations

• Maintain a live inventory of all connected apps and OAuth tokens, their scopes, and their capabilities.

• Enforce least-privilege OAuth scopes, proactively evaluate new app integrations, where the authorization originated, and proactively revoke unnecessary or risky permissions.

• Automate OAuth scope management and cleanup, ensuring departing users’ permissions are revoked to prevent lingering tokens.  

7. Enhance SaaS Monitoring with Behavior Analytics

• Focus on OAuth activity monitoring, integration visibility, and behavioral anomaly detection rather than relying on SaaS audit logs, which are often incomplete.

• Watch for shifts:

• Newly authorized third-party apps

• Unusual spikes in data transfers

• Sudden permission changes

How Grip Can Help

If your organization is working through these steps, you don’t have to do it alone. Grip Security can help you evaluate your risk, identify exposure, and close gaps quickly, then strengthen your defenses for the long term.

Once your immediate risk is addressed, Grip gives security teams the visibility and control they need to stay ahead of OAuth-based attacks and other SaaS threats:

• Automatic Integration Discovery. Uncover every SaaS app and OAuth connection, including shadow integrations that security teams often miss.

• Continuous OAuth Monitoring. Identify risky OAuth scopes, unused permissions, and abnormal token usage in real time.

• Behavioral Analytics. Detect anomalies like  suspicious OAuth grants.

• One-Click Remediation. Revoke risky tokens, tighten OAuth scopes, and contain lateral movement before attackers can spread.

Act Now — Even If You Haven’t Seen Signs of Compromise

Right now, it’s the big enterprises making headlines: major Salesforce customers, large SaaS environments, and organizations with mature security programs. But those headlines can be misleading.

Larger companies are surfacing these incidents sooner because they have the processes to detect malicious activity faster and are often required to report breaches within specific timeframes. For smaller organizations, the risk is just as real, and in some cases, the compromise may already have occurred but hasn’t been detected yet.

The Salesloft Drift breach is still unfolding, and the list of affected organizations continues to grow as attackers exploit OAuth tokens and move laterally through connected environments. Swift action is critical, even if you haven’t yet seen signs of unusual activity.  

Grip is here to help. Whether you need support working through the investigation steps, evaluating your risk, or closing security gaps before attackers move further, our team can guide you through it and give you the visibility and control you need to stay ahead of future attacks. Book a confidential call now.

‍

This article was updated on September 15, 2025 to reflect breach updates and remediation recommendations.