Supply Chain Blind Spots: Lessons from the Salesforce/Salesloft/Drift Breach
The recent Salesforce/Salesloft/Drift supply-chain breach underscores just how fragile trust can be in today’s SaaS-driven environments.
What happened:
-
Attackers gained access to Salesloft’s GitHub account between March and June 2025.
-
Using this foothold, they stole OAuth tokens and leveraged them in early August to siphon data from Salesforce environments.
-
Over 700 companies were impacted, including some of the world’s most sophisticated security vendors.
-
Stolen data included AWS keys, Snowflake tokens, passwords, and customer support case records.
Why it matters:
This breach shows how supply-chain attacks now move sideways through SaaS integrations, not just through vendor networks. GitHub → Drift → Salesforce → downstream customers. Each trust relationship expanded the blast radius.
This breach shows how supply-chain attacks now move sideways through SaaS integrations, not just through vendor networks. GitHub → Drift → Salesforce → downstream customers. Each trust relationship expanded the blast radius.
The RedSeal perspective:
Most organizations struggle to answer a simple question: What third-party services have implicit access to my environment? Without full visibility, these blind spots become invisible attack paths.
Most organizations struggle to answer a simple question: What third-party services have implicit access to my environment? Without full visibility, these blind spots become invisible attack paths.
RedSeal helps organizations close these gaps by:
-
Modeling trust relationships across SaaS, cloud, and on-prem infrastructure.
-
Identifying unscanned subnets and unmonitored connections where hidden exposures live.
-
Prioritizing remediation in line with Gartner’s CTEM framework, so the riskiest exposures get fixed first.
The takeaway:
OAuth tokens and API integrations are now a primary target. The Salesforce/Salesloft/Drift breach is not an isolated incident—it’s a preview of how attackers will continue to exploit SaaS trust models. By gaining visibility into every connection, mapping exposure paths, and continuously validating segmentation, organizations can dramatically reduce the blast radius of the next supply-chain attack.
OAuth tokens and API integrations are now a primary target. The Salesforce/Salesloft/Drift breach is not an isolated incident—it’s a preview of how attackers will continue to exploit SaaS trust models. By gaining visibility into every connection, mapping exposure paths, and continuously validating segmentation, organizations can dramatically reduce the blast radius of the next supply-chain attack.
Contact us today to learn how RedSeal can help you map and reduce your SaaS and supply-chain risk.
