Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

Non-Human Identities in the Crosshairs

This week, a sophisticated campaign exposed the growing risks posed by Non-Human Identities (NHIs), such as OAuth tokens, API keys, service accounts, AI agents, and more, that silently connect our SaaS and cloud ecosystems. Attackers breached Salesloft’s Drift AI Chat integration and stole OAuth tokens that granted it access to Salesforce. With those NHIs in hand, the attackers moved freely through Salesforce customer environments, bypassing human logins, Multi-Factor Authentication (MFA), and traditional identity defenses.

The breach, attributed to threat actor UNC6395, compromised the Salesforce instances of hundreds of organizations, harvesting both customer data and embedded cloud credentials. It’s a vivid reminder: the weakest link isn’t always a user password; it’s often a machine identity trusted too much and monitored too little.

The Attack: When an NHI Becomes a Backdoor

Here’s how the Salesloft–Drift NHI breach unfolded:

1. NHI Compromise: The attackers stole OAuth access and refresh tokens tied to the Drift AI Chat app. These tokens functioned as powerful NHIs, carrying pre-approved privileges into Salesforce.
2. Trusted Access: With valid tokens, the attackers authenticated directly as the Drift integration. No human accounts, no MFA. Salesforce recognized the NHI as legitimate and opened the door.
3. Reconnaissance: Using Salesforce’s query APIs, the adversary enumerated data objects, gauging where the richest targets lay.
4. Data Exfiltration: Over ten days, they exported vast amounts of account, opportunity, and case data by appearing as “normal” app activity.
5. Credential Harvesting: Buried inside Salesforce records, the attackers found AWS keys, Snowflake tokens, and other secrets. By compromising one NHI, they seeded new breaches across cloud and data platforms.
6. Evasion: Logs were deleted, queries disguised, and access patterns blended into the background of trusted app behavior.

The incident illustrates a sobering truth: every OAuth token is an NHI with real power. If it’s stolen or abused, it can be as damaging as a compromised administrator account.

Business Impact: The Cascading Risk of NHI Compromise

The fallout of this breach underscores why NHIs are high-value targets:

• Data Confidentiality: Salesforce records containing sensitive customer information were exposed across hundreds of organizations.
• Credential Propagation: Secrets harvested from Salesforce could enable follow-on compromises of AWS, databases, or other business systems.
• Blind Spots: Traditional monitoring often focuses on humans leaving NHIs like OAuth tokens unmonitored, even when they have broad permissions.
• Supply Chain Amplification: One compromised SaaS app cascaded into hundreds of Salesforce tenants. Attack one, breach many.
• Operational Disruption: Revoking and re-establishing integrations consumed security and admin teams’ bandwidth while disrupting critical workflows.

The Solution: Securing NHIs with Token Security

At Token Security, we believe incidents like the Salesloft–Drift breach are a clear call to treat Non-Human Identities as first-class citizens of security. Our platform is built for NHI security as it provides the visibility, context, and automated defenses needed to protect against exactly this type of attack.

Here’s how:

• Deep Visibility into NHIs: Token Security continuously discovers and inventories every OAuth token, API key, and service account across your SaaS and cloud stack. Security teams gain clarity on which NHIs exist, what permissions they hold, and which services they connect to. In the Drift case, that visibility would have highlighted the breadth of Salesforce access granted to a single chat integration.
• Contextual Awareness of Dependencies: NHIs don’t exist in isolation. Our platform maps how NHIs interact, which apps they belong to, what data they touch, and how they link services together. By understanding these interdependencies, Token Security identifies risky over-privileged NHIs and sets behavioral baselines. An integration suddenly exporting far more records than usual would stand out immediately.
• Identity Threat Detection & Response (ITDR) for NHIs: Token Security continuously monitors NHI activity to detect anomalies from suspicious data exfiltration to access from unusual geographies or infrastructure. When an NHI is hijacked, our ITDR engine detects the misuse in real-time and can automatically revoke or quarantine the token before massive data theft occurs.
• Intelligent Remediation at Scale: When a response is needed, Token Security orchestrates NHI-specific remediation across environments. We can mass-invalidate compromised OAuth tokens, re-scope risky permissions, and rotate exposed secrets. This ensures rapid containment of attacks that could otherwise spread across multiple SaaS and cloud services.

NHI Security Is Critical for Security Leaders

The Salesloft–Drift OAuth breach is more than an isolated incident. It’s proof that Non-Human Identities are the new frontline of cloud security. Attackers are targeting tokens and service accounts because they offer persistent, trusted access, often with more power than human identities and far less oversight.

Token Security gives organizations the tools to defend this new identity layer: deep visibility, contextual awareness, NHI-focused detection, and intelligent remediation. By elevating NHIs into your identity security program, you can shut down the blind spots that make breaches like this possible.

It’s time to secure the identities you can’t see, because attackers are already finding them.

To learn more about the Token Security Platform for NHI security, set up a demo today: https://www.token.security/book-a-demo