Executive Summary
In August 2025, Salesloft's Drift application suffered a significant security breach when attackers exploited compromised OAuth tokens to access and exfiltrate data from over 700 organizations' Salesforce instances. The breach exposed sensitive information, including customer contact details, support case data, and, in some cases, credentials such as AWS access keys and passwords. Prominent companies like Cloudflare, Zscaler, and Palo Alto Networks were among those affected. The attackers, identified as the group "Scattered Lapsus$ Hunters," demanded nearly $1 billion in ransom to prevent the public release of the stolen data. This incident underscores the critical vulnerabilities associated with third-party integrations and the importance of robust security measures to protect against supply chain attacks.
Why This Matters Now
The Salesloft Drift breach highlights the escalating threat of supply chain attacks, where vulnerabilities in third-party applications can lead to widespread data compromises. As organizations increasingly rely on interconnected SaaS platforms, ensuring the security of these integrations is paramount to prevent similar incidents in the future.
Attack Path Analysis
The attack began with adversaries gathering victim identity information through social engineering, leading to initial compromise via credential misuse. They escalated privileges by exploiting overly permissive identity policies, enabling lateral movement across interconnected systems. Command and control were established using compromised credentials, facilitating rapid data exfiltration. The impact included operational disruption and reputational damage.
Kill Chain Progression
Initial Compromise
Description
Adversaries initiated the attack by gathering victim identity information through social engineering tactics, such as phishing, to obtain valid credentials.
MITRE ATT&CK® Techniques
Gather Victim Identity Information
Valid Accounts
Brute Force
Phishing
Cloud Accounts
Modify Authentication Process: Add New Authentication Process
Indicator Removal: Clear Security Logs
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Establish an access control model
Control ID: 7.2.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Governance
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Identity-based attacks exploit overly permissioned accounts and poor segmentation, threatening customer data and payment systems requiring HIPAA/PCI compliance controls.
Banking/Mortgage
Social engineering and compromised credentials enable lateral movement across interconnected financial systems, exposing sensitive customer data and regulatory violations.
Health Care / Life Sciences
Identity abuse bypasses HIPAA controls, allowing attackers to exfiltrate patient data within median two-day timeframes through misconfigured cloud integrations.
Information Technology/IT
Machine identities and API integrations create expanded attack surfaces, enabling privilege escalation through poorly controlled access keys and SaaS vulnerabilities.
Sources
- Unit 42: Nearly two-thirds of breaches now start with identity abusehttps://cyberscoop.com/attackers-abuse-identity-unit42-palo-alto-networks-incident-response-report/Verified
- Salesloft says Drift customer data thefts linked to March GitHub account hackhttps://techcrunch.com/2025/09/08/salesloft-says-drift-customer-data-thefts-linked-to-march-github-account-hack/Verified
- Cybercriminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortionhttps://www.fbi.gov/file-repository/cyber/csa/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdfVerified
- Salesloft Drift Security Incident - September 12, 2025https://support.sproutsocial.com/hc/en-us/articles/39509392885773-Salesloft-Drift-Security-Incident-September-12-2025Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF would likely have constrained the attacker's ability to escalate privileges and move laterally, thereby reducing the overall impact of the incident.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to misuse compromised credentials may have been limited, reducing the likelihood of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, reducing the risk of unauthorized access to sensitive resources.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been restricted, reducing the scope of compromised systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access may have been limited, reducing the duration of the compromise.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data may have been constrained, reducing the volume of data loss.
The overall impact of the attack may have been reduced, limiting operational disruption and reputational damage.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management (CRM)
- Sales Operations
- Customer Support
Estimated downtime: 7 days
Estimated loss: $500,000
Business contact details, including names, professional email addresses, phone numbers, job titles, and support case information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
- • Enhance East-West Traffic Security to monitor and control internal network communications.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Strengthen Threat Detection & Anomaly Response capabilities to identify and mitigate threats in real-time.
