The Saga Continues: More Dirt on the Salesforce–Drift Breach

Last week, we shared lessons from the Salesforce–Drift breach, focusing on connected apps, OAuth tokens, and practical prevention strategies. Since then, the story has gotten bigger — and the lessons even more urgent. 

Hundreds of organizations have now confirmed they were impacted, including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, and financial services firms like Wealthsimple. The root cause? A compromised GitHub account that gave attackers access to Drift’s AWS environment and, ultimately, sensitive Salesforce data. 

This breach is no longer just about OAuth tokens. It’s about supply chain security, secure software development, and the ripple effects of SaaS compromises. 

New Revelations: GitHub as the Weak Link 

It turns out the attackers didn’t start with Salesforce. They started with GitHub. By compromising a Salesloft GitHub account (Drift’s parent company), they allegedly found hard-coded AWS keys, which opened the door to Drift’s production environment. From there, attackers stole OAuth tokens in June and exfiltrated customer data in August. 

The dwell time is alarming: attackers lurked for months before detection. “What breaches are happening right now that we’re going to find out about in six months?” Sherri Davidoff, founder of LMG Security, asked in our Cyberside Chats podcast. 

This is not an isolated event. The GhostAction campaign, disclosed in 2025, compromised 300+ GitHub accounts and exfiltrated more than 3,000 secrets. Attackers are increasingly targeting code repositories as stepping stones into SaaS environments. 

The SaaS Breach Domino Effect 

We’re only at the beginning of the fallout. Wealthsimple has already disclosed that stolen data included government ID numbers. Other organizations are still working through inventories to figure out what was exposed. 

This delay is typical. “Even if it’s a third party that’s been breached, it’s your incident. You should follow your incident response process,” Matt Durrin, director of research and training for LMG Security, explained. 

Like MOVEit and Blackbaud, the Salesforce–Drift breach will ripple for months, even years. Each affected organization must investigate, notify customers, and possibly trigger regulatory disclosures. Those customers may then have to notify their own clients — creating a cascading chain of exposure. 

SaaS Incident Response: A Playbook for What’s Next 

If your organization hasn’t been directly affected, don’t let your guard down. SaaS compromises are here to stay, and the best defense is preparation. That’s why we recently published a Checklist for SaaS Incident Response to help leaders move quickly and consistently when the next breach hits. The checklist emphasizes treating any suspected vendor compromise as your own incident, engaging external support early, notifying your cyber insurer, rotating API keys and OAuth tokens, inventorying sensitive data in advance, and hunting for attacker activity in SaaS logs. 

Big-Picture Lessons: SaaS Security in 2025 

The Salesforce–Drift breach drives home several lessons for CISOs and IT leaders: 

1. Assume SaaS breaches will cascade. Vendors’ compromises quickly become your problem. Prepare for delayed disclosures, regulatory obligations, and downstream impacts. 
2. Monitoring SaaS is as important as on-prem. Too many organizations assume cloud platforms are “safe by default.” They’re not. Proactively review logs, configure alerts, and integrate SaaS telemetry into your SIEM or detection program. 
3. Secure development practices are non-negotiable. Whether within your organization or your vendors, eliminate hard-coded secrets, enforce MFA for developer accounts, and require code review. Ask vendors about their software security practices—weak dev hygiene in the supply chain can quickly become your exposure. 
4. Data is hazardous material. The more you collect, the more you risk in a breach. Minimize retention wherever possible, including in the cloud. 

“The compromise of a GitHub account can be the first domino in a catastrophic chain of supply chain attacks,” Davidoff noted. For more details on this attack, watch episode 37 of Cyberside Chats. 

Conclusion: Don’t Wait for the Next Domino 

Last week, we emphasized connected app risks. This week, the story has expanded: the root cause was a GitHub compromise, and the ripple effects will be felt for months. 

The message is clear: SaaS security is supply chain security. To protect your organization, you need proactive monitoring, strong development practices, and a tested incident response plan. 

LMG Security helps organizations prepare through SaaS-focused tabletop exercises, penetration testing, and risk assessments. Contact us to learn how we can help your team get ahead of the next SaaS domino. 

Because when the chain reaction starts, you’ll want to be ready.