LMG Security Resources
Back to List
VIDEO

Connected App, Connected Risk: The Salesforce–Drift Incident

Video Summary:

A single weak app integration opened the door for attackers to raid data from some of the world’s largest companies. Salesforce environments were hit hardest—with victims like Cloudflare, Palo Alto Networks, and Zscaler—but the blast radius also reached other SaaS platforms, including Google Workspace.

In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down the Salesforce–Drift breach: how OAuth tokens became skeleton keys, why media headlines about billions of Gmail users were wrong, and what organizations need to do to protect themselves from similar supply chain attacks.

Key Takeaways

  • Ensure Vendors Conduct Rigorous Technical Security Testing
    Require penetration tests and attestations from third- and fourth-party SaaS providers

  • Limit App Permissions to “Least Privilege”
    Scope connected apps only to the fields and objects they truly need

  • Implement Regular Key Rotation
    Automate key rotation with vendor tools (e.g., AWS recommends every 60–90 days) to reduce the risk of leaked or stolen keys

  • Monitor for Data Exfiltration
    Watch for unusual queries, spikes in API usage, or large Bulk API jobs

  • Limit Data Exfiltration Destinations
    Restrict where exports and API jobs can go (approved IPs or managed locations)

  • Integrate SaaS Risks into Your Incident Response Plan
    Include guidance on rapidly revoking or rotating OAuth tokens and keys after a compromise

References
Google Threat Intelligence Group advisory on UNC6395 / Drift OAuth compromise
Cloudflare disclosure on the Drift incident
Zscaler security advisory on Drift-related Salesforce breach
LMG Security Blog – Third-Party Risk Management Lessons

#Salesforcehack #SalesforceDrift #cybersecurity #cyberattack #cyberaware

CONTACT US