Salesforce/Salesloft Breach Exposes 1.5 Billion Records, Including Critical API Credentials and OAuth Tokens

TL;DR

Supply-chain compromise of Salesloft’s Drift integration allowed attackers to obtain OAuth tokens and API credentials and then query hundreds of Salesforce customer instances. Estimated records impacted reported as ~1.5 billion (unconfirmed aggregate reports).
Attackers used stolen OAuth/refresh tokens to impersonate the trusted Drift app and extract contact records, case data, API keys and tokens — a high-impact data theft with immediate operational risk.
Immediate actions: rotate OAuth tokens & API keys, disable affected third-party integrations, search logs for suspicious token usage, and run the copy-paste SOC hunts below.

Author: CyberDudeBivash — cyberdudebivash.com | Published: Oct 11, 2025 — Updated:

What we know (short)

Between Aug 8 and Aug 18, 2025 a threat actor leveraged stolen OAuth credentials tied to Salesloft’s Drift integration to access Salesforce customer environments and extract large volumes of records (support cases, contact lists, and other CRM artifacts). Hundreds of organizations reported impacts; industry aggregators estimate the total exposed records in the billions (reporting varies; ~1.5B is an aggregate figure referenced by multiple trackers). Vendors and Google Threat Intelligence have issued advisories and customer notifications.

Why this matters

Tokens over passwords: stolen OAuth/refresh tokens let attackers access data without needing user passwords — they impersonate trusted apps. That makes token compromise especially dangerous.
API credentials & secrets: exposed API keys and tokens can allow attackers to pivot, automate exfiltration, and persist access across automation/tooling.
Scale & supply-chain risk: a single third-party compromise can cascade to hundreds of SaaS customers — lesson: treat integration tokens as high-value secrets.

Immediate actions for orgs using Salesloft / Drift / Salesforce

Disable Salesloft/Drift integrations until you’ve rotated tokens and validated the app’s posture. Salesforce has temporarily disabled integrations — follow vendor instructions.
Rotate all OAuth refresh tokens, client secrets, and API keys associated with Salesloft/Drift or other affected third parties — treat tokens as compromised.
Search logs for token use anomalies: unusual API queries, mass exports, or sessions from unexpected IPs or user agents — run the hunts below immediately.
Audit & quarantine sensitive records: identify exposed support tickets, secrets, configs, or API keys and rotate them. Notify legal/compliance and affected customers if required.
Notify partners & banks: if PII, credentials, or financial tokens appear in stolen data, trigger breach-notification processes and regulatory reporting timelines.

SOC / SIEM hunts —

Below are detection queries to run immediately (adjust indices and time ranges to your environment). These are defensive only.


# Splunk — detect OAuth token usage anomalies (example)
index=api OR index=salesforce sourcetype="salesforce:api" OR "salesforce" token=*
| stats count by src_ip, token, user, uri_path
| where count > 500


# Elastic / EQL — large export activity from Salesforce endpoints
events
  | where http.request.method == "GET" and http.request.path : "*api*" 
  | where bytes > 1000000
  | stats count() by source.ip, http.request.path


# Generic — many distinct object exports in short time (possible scraper)
index=* "query" "SELECT" "FROM" "WHERE"
| transaction user maxspan=1h
| where eventcount > 100
| stats count by user, src_ip

Copy-paste detection signatures


# Sigma — suspicious token usage (adapt fields)
title: Suspicious OAuth token activity - high volume exports
logsource:
  product: generic
detection:
  selection:
    EventType: api_call
    Resource|contains: "salesforce"
    BytesTransferred: '>1000000'
  condition: selection
level: high


# YARA — defensive pattern for config files (look for API keys)
rule Suspected_API_Key_File
{
  meta:
    author = "CyberDudeBivash"
    date = "2025-10-11"
  strings:
    $k1 = "client_secret" ascii
    $k2 = "oauth_token" ascii
    $k3 = "API_KEY=" ascii
  condition:
    any of ($k*)
}

Indicators of Compromise (IOC) guidance

Do not invent IOCs publicly. If you have internal IOCs discovered in your environment (IPs, tokens, file hashes), import them to the IOC CSV template (see the SOC PDF / IOC CSV option below) and distribute to detection teams.

Quick remediation play (step-by-step)

Disable Salesloft/Drift access to Salesforce (org-level).
Rotate OAuth client secrets, refresh tokens, and all API keys linked to third-party integrations. Log out active app sessions where possible.
Run the SIEM hunts and isolate hosts or automation services making the suspicious calls.
Block or rate-limit API endpoints used for large exports until validated traffic returns to baseline.
Engage vendor support and law enforcement; coordinate cross-customer notification where required.

MITRE ATT&CK mapping (quick)

Tactic	Technique	Notes
Initial Access	T1195 (Supply Chain)	Compromise of third-party integration (Drift/Salesloft).
Credentials	T1620 (Obtain Capabilities)	Stolen OAuth tokens & API keys used to access customer instances.
Exfiltration	T1041 (Exfiltration over C2 / API)	Large exports of CRM records and case data.

Product & service picks — quick (affiliate cards)

Kaspersky Endpoint Security

Endpoint EDR, rollback and detection for servers and admin workstations.Protect with Kaspersky

Edureka — Training for SOC teams

Upskill staff on cloud IR, API security, and token management. Recommended for SOC/resilience training.Train SOC teams (Edureka)

Managed XDR — CyberDudeBivash

Fast containment, token rotation playbooks, and API/threat hunting delivered by our IR team.Contact for XDR / IR

FAQ (short)

Was Salesforce itself breached? Public reporting and vendor statements indicate a third-party (Salesloft/Drift) compromise was exploited to access customer Salesforce instances rather than a platform-wide Salesforce vulnerability. Salesforce and vendors have issued guidance.
How many records? Reports aggregate impacted records into the billions (figures vary — ~1–1.5B reported by trackers); this is an aggregate of many orgs’ exported data, not a single tenant’s full database. Treat exposure as potentially large.
What should my organisation do first? Disable affected integrations, rotate tokens and secrets, run the SIEM hunts above, and contact vendor support and law enforcement as appropriate.

Hashtags:

#CyberDudeBivash #Salesloft #Salesforce #OAuth #APIsecurity #SupplyChainAttack #ThreatIntel #IR #SecurityOps #TokenSecurity

Cyberdudebivash