The Gaming Boardroom

Where the gambling industry comes to think

Blast Radius of Salesloft Drift Attacks Remains Unclear

Steve Tyler Free Content

Blast Radius of Salesloft Drift Attacks Remains Unclear

Summary

Between 8–18 August, threat actor UNC6395 exploited Salesloft’s Drift by stealing OAuth and refresh tokens from its Salesforce integration. The stolen tokens enabled lateral movement into customer Salesforce instances and resulted in numerous downstream disclosures from organisations such as Zscaler, Palo Alto Networks, Cloudflare, Proofpoint and Tenable. While many victims report exposure of business contact and support-case data, some disclosures warn that support interactions can contain configuration details and access tokens — making the true severity uncertain.

Context and relevance

This is a notable supply‑chain incident because OAuth tokens behave like trusted credentials: attackers using them can look like legitimate applications and evade normal account‑compromise alerts. The campaign highlights gaps in token constraint controls across SaaS integrations and the ongoing trend of attackers weaponising third‑party platforms to reach upstream customers.

Key Points

  • UNC6395 stole OAuth and refresh tokens from Salesloft’s Drift Salesforce integration and used them to access customer Salesforce instances.
  • Multiple major vendors (Zscaler, Palo Alto Networks, Cloudflare, Proofpoint, Tenable) disclosed downstream impacts; the full blast radius remains unknown.
  • Most reported exposures are business contact info and support‑case data, but some support tickets may contain sensitive configuration details or access tokens.
  • OAuth tokens are high‑value credentials — access gained via tokens can appear legitimate and bypass typical detection.
  • Okta says its defences (inbound IP restrictions, DPoP, IPSIE token handling) prevented a breach; it recommends wider adoption of these controls.
  • Recommended immediate actions: review logs for anomalous access, rotate exposed credentials/tokens, and limit token scope and usage by IP/client where possible.

Why should I read this?

Short version: if your organisation uses Salesforce or any SaaS that links into other vendors, this matters. Attackers are stealing tokens that let them masquerade as legitimate apps — so check your logs, rotate any tokens, and push vendors to support token constraints (IP/client/DPoP). You’ve been warned — and saved time because we read the messy disclosures so you don’t have to.

Source

Source: https://www.darkreading.com/cyberattacks-data-breaches/salesloft-drift-attacks-blast-radius-uncertain