What the Salesloft Drift Breach Reveals About Trust and Risk

When trust in SaaS becomes a liability, every MSP should take notice. The recent compromise of Salesloft through its Drift integration proves how quickly a trusted business tool can turn into a threat vector for hundreds of organizations. The following sections break down key insights from this attack and offer headlines for follow-up coverage.

Salesloft Drift Attack: Supply Chain Breach Hits Hundreds

In August 2025, threat actors targeted Salesloft’s Drift integration, exploiting OAuth tokens to access Salesforce environments at scale. The attack lasted 10 days — from August 8 to 18 — before emergency measures disabled all Drift integrations, but not before sensitive data was exfiltrated from over 700 organizations, including high-profile security vendors. The source of the breach was traced back to a March compromise of Salesloft’s GitHub account, allowing attackers to download repository content and set up persistence.

What The Hackers Wanted: Credential Harvesting, Quietly

Unlike ransomware gangs seeking rapid payout, the attackers focused on quiet, large-scale data harvesting. Their goals were twofold:

Sift through stolen Salesforce records (cases, accounts, support notes) for embedded secrets like API keys, AWS tokens, and passwords.
Monetize exfiltrated data over time through underground sales, phishing, and targeted follow-on attacks rather than public blackmail.

No ransom demands were reported, reinforcing the intent of long-term credential theft rather than immediate financial extortion.

Who Was Behind It: UNC6395 and Their Playbook

The primary threat group is UNC6395 (“GRUB1”), tracked by Google and Mandiant, with some unsubstantiated claims from ShinyHunters and Scattered LAPSUS$ Hunters 4.0 being largely discredited. UNC6395’s tactics included:

Gaining long-standing access via a GitHub compromise months before the main breach.
Using open-source tools like TruffleHog for secrets discovery once inside, along with careful deletion of query jobs to limit forensic visibility.
Demonstrating operational sophistication in maintaining persistence, even creating new user accounts for fallback access after token revocation.

Where The Gaps Were: OAuth Abuse and Overtrusted Integrations

Attackers capitalized on several critical weaknesses:

Poor secrets management: OAuth tokens stored insecurely and with excessive permissions in cloud environments.
Supply chain sprawl: Trust extended too far into integrated tools (Drift, Salesforce) meant the breach of one exposed many.
Lack of comprehensive, automated monitoring for anomalous activity across SaaS integrations, allowing attacker activity to mimic legitimate workflow and evade detection for days.

The TPRM Reckoning: Vendor Risk is Customer Risk

The incident exposes major blind spots in Third-Party Risk Management (TPRM) and compliance practices:

Organizations learned that a vendor’s security is indistinguishable from their own; compromise of an upstream vendor equals compromise of the downstream enterprise.
TPRM programs need to include not only direct suppliers but also their integrations and dependencies — so-called fourth-party risk.
Enhanced due diligence is needed for OAuth-heavy connectors, monitoring for high-volume data exports, excessive permissions, and policy drift in connected apps.
Compliance processes must evolve to demand transparency in token management, secrets rotation, and incident notification from vendors, as well as from the integrations they use.

This attack serves as a wake-up call: SaaS trust relationships can be as dangerous as any direct vulnerability. The modern MSP’s toolkit must now include supply chain visibility, continuous third-party assessment, and close scrutiny of every OAuth workflow.

How Blacksmith Helps

Blacksmith Infosec helps MSPs manage third-party risk with practical, accessible, and effective solutions designed for real-world complexity. With Blacksmith’s centralized vendor management tool, you can track, assess, and document the security practices of every vendor in your supply chain, not just the primary ones. With features such as risk tiering, automated audit schedules, and seamless integration with business systems, Blacksmith simplifies compliance while delivering actionable oversight of vendor risk — and, crucially, makes it easy for organizations to stay ahead of evolving regulatory requirements.

Rather than treating TPRM as a once-a-year checklist, Blacksmith Infosec advocates and enables a continuous, relationship-focused approach. This approach helps organizations understand the risk each partner brings, prioritize critical reviews, maintain strong evidence of compliance, and facilitate transparent communication about security obligations — all essential attributes in a threat landscape driven by SaaS supply chain risk. With Blacksmith, TPRM becomes a business enabler, strengthening trust, resilience, and long-term security across the entire ecosystem.