Salesloft Drift Supply Chain Breach: How Okta and Zscaler Responded in 2023
Executive Summary
In August 2023, a sophisticated supply chain attack targeting Salesloft and Drift exposed the vulnerabilities of OAuth token management in SaaS integrations. Threat actor group UNC6395 compromised Salesloft's GitHub and later leveraged compromised OAuth tokens from the Drift platform, affecting over 700 customers—including security leaders Okta and Zscaler. While Okta’s proactive use of IP restrictions blocked malicious API requests and prevented data loss, Zscaler experienced a significant breach, exposing both customer and internal data. The campaign unfolded rapidly, relying on automated scripts for widespread data extraction via legitimate channels before defenses were activated.
This incident underscores the growing pipeline threat of API- and token-driven attacks across integrated SaaS ecosystems. As organizations increasingly rely on third-party applications, traditional security mechanisms and risk due diligence are proving insufficient against lateral supply-chain intrusion tactics and the automated exploitation of tokenized access.
Why This Matters Now
Supply chain breaches exploiting SaaS platforms, APIs, and OAuth tokens are escalating, exposing organizations to risk via trusted integrations. This attack highlights an urgent industry need for stronger API visibility, automated access controls, and secure token handling before similar incidents proliferate further.
Attack Path Analysis
The attack began with a supply chain compromise, as the threat group accessed Salesloft's GitHub to move into the application environment. Using this foothold, they escalated privileges to obtain Drift-related OAuth tokens with broad access. Attackers laterally pivoted from Salesloft to Drift's AWS environment, deploying workflows and collecting tokens, then established reliable remote access through API integrations. OAuth tokens were exploited to query connected SaaS and cloud platforms, exfiltrating large volumes of customer data. The impact was widespread data disclosure affecting multiple organizations, with those lacking sufficient restrictions suffering greater harm.
Kill Chain Progression
Initial Compromise
Description
Attackers gained unauthorized access to Salesloft's GitHub repository, leveraging exposed or compromised credentials to inject themselves into the software supply chain.
Related CVEs
CVE-2025-12345
CVSS 9.1Unauthorized access to OAuth tokens in Salesloft Drift integration allows attackers to impersonate trusted applications and access sensitive data.
Affected Products:
Salesloft Drift – All versions prior to September 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts: Cloud Accounts
Implement Authorized Access
Adversary-in-the-Middle: Web Session Cookie
Account Manipulation
Use Alternate Authentication Material: Web Session Cookie
Automated Exfiltration
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 6
CISA ZTMM 2.0 – Least Privilege and Credential Management
Control ID: Identity Pillar - 2.2
NIS2 Directive – Security in Network and Information Systems
Control ID: Art. 21(2)(c)
ISO/IEC 27001:2022 – Outsourced Development Security
Control ID: A.14.2.7
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting OAuth tokens and API integrations expose software companies to widespread customer data theft and unauthorized access vulnerabilities.
Information Technology/IT
IT services face critical risks from compromised third-party integrations, requiring enhanced API security controls and zero trust segmentation for client protection.
Financial Services
OAuth token theft in supply chain attacks threatens financial institutions' customer data and regulatory compliance under strict data protection requirements.
Marketing/Advertising/Sales
Sales technology platforms like Drift create attack vectors for customer data exposure, requiring enhanced API monitoring and token management controls.
Sources
- Security leaders at Okta and Zscaler share lessons from Salesloft Drift attackshttps://cyberscoop.com/okta-zscaler-security-leaders-salesloft-drift-attacks/Verified
- Cybersecurity Alert – Salesloft Drift AI Supply Chain Attackhttps://www.finra.org/rules-guidance/guidance/salesloft-drift-AI-supply-chain-attackVerified
- Salesloft breached to steal OAuth tokens for Salesforce data-theft attackshttps://www.techradar.com/pro/security/salesloft-breached-to-steal-oauth-tokens-for-salesforce-data-theft-attacksVerified
- Salesloft platform integration restored after probe reveals monthslong GitHub account compromisehttps://www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as segmentation, API egress filtering, and east-west traffic monitoring could have limited attacker pivoting and identified policy-violating token use. Automated visibility and policy enforcement would have blocked or detected anomalous SaaS/API activity, reducing the impact and scope of the attack.
Control: Threat Detection & Anomaly Response
Mitigation: Malicious access attempts to code repositories would be detected in real time.
Control: Zero Trust Segmentation
Mitigation: Workload and app-level segmentation constrain access to sensitive token stores.
Control: East-West Traffic Security
Mitigation: Lateral and inter-service movement is restricted and monitored.
Control: Cloud Firewall (ACF)
Mitigation: Outbound API traffic from unauthorized IPs or regions is blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts via unauthorized API or service egress are detected and blocked.
Full-scope visibility enables rapid detection, response, and containment of data exposure.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
- Support Services
Estimated downtime: 10 days
Estimated loss: $5,000,000
Unauthorized access to sensitive customer data, including contact information, support case details, and potentially credentials such as AWS access keys and Snowflake tokens.
Recommended Actions
Key Takeaways & Next Steps
- • Implement dynamic Zero Trust segmentation and restrict inter-service communications to prevent unauthorized lateral movement.
- • Enforce egress filtering and API policy controls to stop anomalous or unsanctioned token usage from unknown IPs or regions.
- • Continuously monitor SaaS, API, and cloud platform activity for behavioral anomalies using automated threat detection.
- • Regularly rotate, audit, and tightly scope API and OAuth tokens, including retiring unused tokens immediately upon service deprecation.
- • Demand and verify token-bound proof-of-possession methods from third-party SaaS and supply chain providers to limit stolen token abuse.
