AI Supply Chain Failure Breaches Salesforce Accounts of 700 Enterprises

Key Takeaways

• Threat actor UNC6395 used compromised OAuth tokens from the Salesloft Drift AI chatbot to access Salesforce instances between August 8–18, 2025. (Google Cloud)
• More than 700 organizations across finance, tech, healthcare, and government were affected, making this one of the largest SaaS supply-chain breaches to date. (FINRA)
• Root cause was traced to months-long access to Salesloft’s GitHub environment, where attackers staged code and token theft. (CyberScoop)
• Stolen tokens allowed data exfiltration from Salesforce objects (Accounts, Contacts, Cases, Opportunities) and even secrets such as API keys, Snowflake tokens, and passwords. (IT Pro)

Summary

When AI Turns Rogue: The Salesforce–Salesloft–Drift Breach and What It Means for the Future of AI Trust

In August 2025, attackers leveraged the Salesloft Drift AI chatbot integration to steal OAuth tokens and pivot into hundreds of Salesforce customer instances. Over a 10-day period, the UNC6395 threat group exfiltrated large volumes of CRM data and embedded secrets using automated queries and carefully staged access. (Google Cloud)

This incident is one of the first large-scale AI-adjacent SaaS supply-chain breaches. It shows how a single compromised AI integration can bypass MFA, undermine trust in “safe” SaaS ecosystems, and expose massive volumes of sensitive business data.

What Happened: Incident Overview

In early August 2025, Google’s Threat Intelligence Group (GTIG) observed a widespread data theft campaign targeting Salesforce customer instances. The attacks, attributed to threat cluster UNC6395, ran from approximately August 8 to August 18, 2025. Attackers used compromised OAuth tokens associated with Salesloft’s Drift AI chatbot—a third-party app integrated with Salesforce via OAuth—to authenticate as trusted applications and query Salesforce data directly. (Google Cloud)

Customers first became aware of anomalies when Salesforce and Google began issuing advisories about unusual SOQL queries, large export jobs, and revoked Drift integrations. FINRA later confirmed that over 700 organizations were impacted, including financial institutions, technology firms, and government agencies. (FINRA)

Subsequent disclosures revealed that attackers had been inside Salesloft’s environment for months. They used their foothold to steal OAuth tokens tied to Drift and other integrations, then systematically accessed Salesforce instances to exfiltrate CRM data, support-case records, and embedded secrets. (CyberScoop)

How the Breach Happened

The breach was fundamentally an AI SaaS supply-chain attack driven by OAuth abuse:

• Initial access: Attackers compromised Salesloft’s GitHub account as early as March 2025 via an OAuth-related weakness, giving them persistent access to code and configuration repositories. (CyberScoop)
• Token and secret theft: With GitHub access, UNC6395 located and exfiltrated OAuth and refresh tokens associated with the Drift AI chatbot and other integrations, as well as embedded credentials. (Cyber Security News)
• Abuse of delegated access: Using those tokens, attackers impersonated Drift across customer Salesforce instances, issuing SOQL queries and bulk export jobs that looked like normal app activity, not a new user login. This effectively bypassed MFA and many traditional access controls. (Google Cloud)
• Stealth and log tampering: The threat actors deleted or manipulated job logs within Salesforce to hide their activity, although underlying audit data allowed partial reconstruction. (IT Pro)

AI’s role was not a model jailbreak but an AI-enabled integration: a popular chatbot and automation layer (Drift) that sat between users and Salesforce. Once that integration was compromised, it became an ideal covert channel into core SaaS data.

Impact: Why It Matters

The Salesforce–Salesloft–Drift incident is a watershed moment for AI and SaaS security:

• Breadth of exposure: More than 700 organizations were impacted across sectors, including high-profile technology and security vendors like Cloudflare, Palo Alto Networks, and Zscaler. (SOCRadar® Cyber Intelligence Inc.)
• Data exfiltrated: Attackers pulled massive datasets from Salesforce—Accounts, Contacts, Cases, Opportunities, and Users—along with access keys, Snowflake tokens, passwords, and other secrets often embedded in support-case notes. (IT Pro)
• Business and privacy risk: Stolen contact records and secrets can fuel spear-phishing, account takeover, fraud, and follow-on attacks against customers and partners. Regulatory exposure (e.g., under sectoral privacy rules and financial regulations) is substantial. FINRA’s alert underscores the significance for regulated firms. (FINRA)
• Systemic lesson: The breach demonstrates that OAuth-based AI integrations can become systemic attack paths. Once a trusted third-party app is compromised, its delegated access can undermine even mature zero-trust and MFA programs. (Cloud Security Alliance)

For organizations using AI-driven SaaS tools, this incident shows that AI supply-chain governance is now a core security requirement—not an edge case.

PointGuard AI Perspective

The Salesforce–Salesloft–Drift breach is a textbook example of AI supply-chain compromise via OAuth, not a conventional app or infrastructure bug. A single AI chatbot integration became the pivot point into hundreds of Salesforce instances because its delegated access and token lifecycle were not sufficiently governed.

PointGuard AI helps enterprises defend against this class of incident by:

• AI & SaaS Asset Discovery: Automatically identifying AI-enabled integrations (like Drift), connected SaaS platforms, and all associated OAuth relationships so teams know which agents and apps can touch critical data.
• Access and Token Governance: Continuously monitoring OAuth scopes, token usage, and third-party app permissions to flag over-privileged integrations and stale or risky tokens before they are abused.
• Behavioral Analytics on Integrations: Profiling normal usage patterns for AI agents and SaaS apps (e.g., SOQL query frequency, export volume, object access) and detecting anomalies consistent with automated data theft.
• AI Supply-Chain Risk Management: Providing an AI SBOM and vendor-risk view of models, agents, and SaaS integrations, including provenance and exposure paths—so security teams can prioritize validation and containment.
• Incident Response Acceleration: When an integration like Drift is compromised, PointGuard AI helps quickly identify affected systems, revoke access, and verify containment across the AI and SaaS stack.

This incident confirms that AI security is inseparable from modern AppSec and SaaS security. Organizations must treat AI agents, SaaS integrations, and OAuth connections as first-class security citizens, with continuous visibility and control.

Incident Scorecard Details

Total AISSI Score: 9.5 / 10

Criticality = 10, Large-scale data theft from production Salesforce instances at over 700 organizations, including major tech and financial firms.

Propagation = 9, A single compromised Drift integration and stolen tokens enabled access to hundreds of separate Salesforce tenants during a 10-day campaign.

Exploitability = 9, Attackers needed to compromise Salesloft’s GitHub and harvest tokens, but once achieved, OAuth-based access made exploitation straightforward.

Supply Chain = 9, Classic third-party SaaS and AI supply-chain breach, exploiting trust in a widely used AI chatbot integration to bypass direct controls on Salesforce.

Business Impact = 10, Exposure of CRM data, secrets, and support content creates long-term risks: fraud, spear-phishing, regulatory scrutiny, and significant reputational damage.

Sources

• Google Cloud Threat Intelligence Blog – Data theft from Salesforce instances via Salesloft Drift (Google Cloud)
• FINRA Cybersecurity Alert – Salesloft Drift AI Supply Chain Attack (FINRA)
• CyberScoop – Salesloft Drift attack root cause: GitHub OAuth compromise (CyberScoop)
• PointGuard AI – 5 Lessons from the Salesforce–Salesloft Breach (Cloud Security Alliance)