🕷️
SetupAI
Attackers Breach 700 Orgs via CX Platforms
💼#data-poisoning#oauth-tokens#dlp-blindspotsFreshcollected in 12m

Attackers Breach 700 Orgs via CX Platforms

PostLinkedIn
💼Read original on VentureBeat

💡Uncover AI CX security blind spots exploited in 700-org breach; fix before your SOC misses it.

⚡ 30-Second TL;DR

What changed

Salesloft/Drift breach hit 700+ orgs via stolen OAuth tokens

Why it matters

Enterprises face elevated risks from AI CX platforms connecting to sensitive systems, with 81% of intrusions using legit access. This breach underscores need for input integrity checks as CX processes billions of interactions yearly.

What to do next

Audit and revoke all OAuth tokens linking CX platforms to your CRM and HRIS systems.

Who should care:Enterprise & Security Teams

🧠 Deep Insight

Web-grounded analysis with 5 cited sources.

🔑 Key Takeaways

  • Attackers compromised Salesloft’s GitHub in August 2025, stealing Drift OAuth tokens that granted access to Salesforce instances in over 700 organizations including Cloudflare and Zscaler[1][2][3].
  • No malware was deployed; attackers scanned stolen data for sensitive credentials like AWS keys, Snowflake tokens, customer contacts, and opportunity information, then pivoted to Google Workspace[1][2].
  • Persistent 'zombie' OAuth tokens from ended campaigns remained active for months, enabling lateral movement across trust domains without detection[1][3].

🛠️ Technical Deep Dive

  • OAuth tokens from Salesloft-Drift integration allowed persistent access surviving password resets and MFA, exploiting consent phishing-like broad permissions[1].
  • Attackers exported structured data (contacts, opportunities) and credentials (AWS keys, Snowflake tokens) via legitimate API calls blending with normal activity[1][4].
  • Behavioral detection baselines user-app-data relationships to spot first-time resource access by tokens; traditional CASB/SIEM miss SaaS-to-SaaS lateral movement[1][4].
  • Supply chain cascade: Compromise in one integration (Salesloft GitHub) propagated to Salesforce and Google Workspace without vendor-shared responsibility covering customer integrations[1][4].
  • Google Threat Intelligence revoked Drift Email OAuth tokens on August 28, 2025, after confirming Workspace access; average compromise time 9 minutes vs. weeks for detection[1].

🔮 Future ImplicationsAI analysis grounded in cited sources

The Salesloft-Drift breach highlights escalating SaaS supply chain risks amplified by agentic AI integrations, driving demand for behavioral anomaly detection, lifecycle token governance, and unified visibility across ecosystems to prevent rapid cascades impacting hundreds of organizations[1][3][4][5].

⏳ Timeline

2025-08
Salesloft GitHub compromise occurs; attackers steal Drift OAuth tokens targeting Salesforce instances[1]
2025-08-08
Google Threat Intelligence identifies widespread data theft via compromised Salesloft-Drift integration[1]
2025-08-18
Initial attack window closes; data exfiltration from 700+ organizations confirmed[1]
2025-08-28
Google revokes OAuth tokens for Drift Email integration after detecting Google Workspace access[1]

📎 Sources (5)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

  1. obsidiansecurity.com
  2. reco.ai
  3. okta.com
  4. obsidiansecurity.com
  5. businesswire.com

Attackers exploited Salesloft’s GitHub compromise to steal Drift OAuth tokens, accessing Salesforce in 700+ organizations like Cloudflare and Zscaler without malware. They poisoned unstructured CX data ingested by AI engines, triggering workflows to payroll and CRM. Security blind spots include DLP missing sentiment data and persistent zombie API tokens.

Key Points

  • 1.Salesloft/Drift breach hit 700+ orgs via stolen OAuth tokens
  • 2.No malware; attackers scanned stolen data for AWS keys and passwords
  • 3.DLP misses unstructured CX data like salary complaints in API calls
  • 4.Zombie OAuth tokens from ended campaigns enable lateral movement
  • 5.CX platforms miscategorized as low-risk despite AI integrations to HRIS/CRM

Impact Analysis

Enterprises face elevated risks from AI CX platforms connecting to sensitive systems, with 81% of intrusions using legit access. This breach underscores need for input integrity checks as CX processes billions of interactions yearly.

Technical Details

Compromised GitHub yielded Drift chatbot tokens for Salesforce access across orgs. Attackers poisoned survey/social data evading DLP patterns, exploiting AI auto-workflows. Qualtrics processes 3.5B interactions annually, doubled since 2023.

#data-poisoning#oauth-tokens#dlp-blindspotssalesloft/drift
💼Read original article on VentureBeat
📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Read Next

Same topic

Explore #data-poisoning

Same product

More on salesloft/drift

Same source

Latest from VentureBeat

AI-curated news aggregator. All content rights belong to original publishers.
Original source: VentureBeat