Cyberside Chats: Cybersecurity Insights from the Experts

Connected App, Connected Risk: The Salesforce–Drift Incident

Listen Later

A single weak app integration opened the door for attackers to raid data from some of the world’s largest companies. Salesforce environments were hit hardest—with victims like Cloudflare, Palo Alto Networks, and Zscaler—but the blast radius also reached other SaaS platforms, including Google Workspace. In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down the Salesforce–Drift breach: how OAuth tokens became skeleton keys, why media headlines about billions of Gmail users were wrong, and what organizations need to do to protect themselves from similar supply chain attacks. 

Key Takeaways 

  • Ensure Vendors Conduct Rigorous Technical Security Testing – Require penetration tests and attestations from third- and fourth-party SaaS providers. 
    • Limit App Permissions to “Least Privilege” – Scope connected apps only to the fields and objects they truly need. 
      • Implement Regular Key Rotation – Automate key rotation with vendor tools (e.g., AWS recommends every 60–90 days) to reduce the risk of leaked or stolen keys. 
        • Monitor for Data Exfiltration – Watch for unusual queries, spikes in API usage, or large Bulk API jobs. 
          • Limit Data Exfiltration Destinations – Restrict where exports and API jobs can go (approved IPs or managed locations). 
            • Integrate SaaS Risks into Your Incident Response Plan – Include guidance on rapidly revoking or rotating OAuth tokens and keys after a compromise. 

              •  

              References 

              1. Google Threat Intelligence Group advisory on UNC6395 / Drift OAuth compromise 
              2. Cloudflare disclosure on the Drift incident 
              3. Zscaler security advisory on Drift-related Salesforce breach 
              4. LMG Security Blog – Third-Party Risk Management Lessons 

                5. #Salesforcehack #SalesforceDrift #cybersecurity #cyberattack #cyberaware

                ...more
                View all episodesView all episodes
                Download on the App Store
                Cyberside Chats: Cybersecurity Insights from the ExpertsBy Chatcyberside
                • 5
                • 5
                • 5
                • 5
                • 5

                5

                2 ratings

                More shows like Cyberside Chats: Cybersecurity Insights from the Experts

                View all
                No Agenda Show by Adam Curry & John C. Dvorak

                No Agenda Show

                5,948 Listeners

                Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec by Jerry Bell and Andrew Kalat

                Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

                370 Listeners

                The DSR Network by The DSR Network

                The DSR Network

                1,782 Listeners

                Conspirituality by Derek Beres, Matthew Remski, Julian Walker

                Conspirituality

                2,041 Listeners

                What Rough Beast by Virginia Heffernan and Stephen Metcalf

                What Rough Beast

                63 Listeners