Salesloft + Drift Breach: OAuth lessons from Sep 2025

How attackers lived for months in vendor GitHub, pivoted into cloud, and fanned out via OAuth tokens into 700+ Salesforce orgs.

2025-09-13 ยท Appsecco

Salesloft + Drift Breach: OAuth lessons from Sep 2025

(Full analysis to be added. This MDX will also embed a short founder video once recorded.)

TL;DR: Dwell in vendor GitHub โ†’ pivot to cloud with stolen creds โ†’ exfil central OAuth cache โ†’ fan-out into customer Salesforce orgs.

Outline (to fill in later)

  • Timeline and dwell time
  • Secrets & CI artifacts in GitHub
  • Pivot path into vendor AWS
  • OAuth token cache (scope, rotation, revocation)
  • Fan-out into customer orgs and detection gaps
  • What to fix (token hygiene, segregation, detection)
  • Checklist PDF + video summary