In a year marked by prevalent supply chain breaches, the SalesLoft incident stands out as particularly insidious and complex. This breach represents what may be one of the most comprehensive non-human identity (NHI) attacks from start to finish, making it a critical case study for understanding modern supply chain compromises.
SalesLoft Drift, a Salesforce application for customer acquisition with AI tooling, suffered a significant breach that resulted in the theft of OAuth tokens for hundreds of users. These stolen tokens were subsequently used to access Salesforce instances, export sensitive data, and mine that data for additional credentials, particularly targeting Snowflake and AWS resources.
The incident unfolded over several months, beginning with a GitHub compromise between March and June 2025, followed by a dormant period, and culminating in active exploitation from August 8-18, 2025. SalesLoft disclosed the incident and revoked all affected tokens on August 20, 2025.
According to SalesLoft's incident notice and Mandiant's investigation, the attack began with a sophisticated infiltration of SalesLoft's development infrastructure. The threat actor gained access to SalesLoft's GitHub repositories between March and June 2025 and downloaded content, likely cloning repos or downloading them as archives. To maintain persistence, they added a guest user to the GitHub organization, a technique that mirrors legitimate onboarding processes when organizations add new hires with existing GitHub accounts.
The attackers established workflows, likely GitHub Actions, that may have provided pathways to AWS infrastructure. The pivot from GitHub to AWS likely occurred through credentials harvested from the downloaded repositories, with long-lived access keys or someother programatic credential being a probable vector. Once inside the Drift AWS environment, they extracted OAuth tokens that were likely stored in Secrets Manager or Systems Manager Parameter Store, or a similar solution.
This attack pattern of extracting secrets from cloud storage services has become increasingly common among threat actors, particularly groups like LUCR-3 (also known as UNC3944 or Scattered Spider), who regularly harvest credentials from Secrets Manager and similar services.
What makes this breach particularly concerning is the per-user token architecture. Unlike organization-level integrations, SalesLoft Drift uses individual OAuth tokens for each user. Each salesperson using the application would integrate individually with Salesforce, meaning the attacker gained permissions equivalent to each compromised user. If a Salesforce admin used the integration, the attackers obtained admin-level access. Regular sales representatives provided limited access. This architectural decision, while providing granular control, created hundreds of individual compromise points rather than a single integration to secure.
While initially reported as a Salesforce breach, the scope expanded significantly. OAuth tokens for Google Workspace integrations were also compromised, along with dozens of other integrated applications. Most investigative efforts focused on Salesforce due to visible damage, but the actual breach affected a much broader ecosystem of connected services.
The attackers demonstrated sophisticated operational security. Rather than searching within Salesforce for credential patterns like "AKIA" (AWS key prefixes), they exported all accessible data from victim Salesforce instances. With the data now exported to their own infrastructure, the attacker could then run common tools like TruffleHog to scrape out the credentials that they were looking for such as long-lived AWS Access Keys. This approach avoids triggering alerts that might have been configured for unusual search patterns within Salesforce itself.
Based on analysis across multiple incidents, the threat actors operated from two primary IP addresses:
The attack followed a deliberate two-phase approach:
Rather than relying solely on atomic indicators, effective detection requires focusing on behavioral signals:
Baseline Deviation: SalesLoft OAuth connections consistently originated from AWS IP ranges. When these same user identities suddenly connected from DigitalOcean infrastructure, this represented a clear baseline deviation. Vendor connections are particularly easy to baseline due to their consistency, making such deviations highly suspicious and easy to detect for organizations with proper monitoring.
Bulk API Usage Patterns: Bulk API calls from non-service accounts remain uncommon across most organizations. This represents a strong detection signal, particularly when accounts with no history of bulk API usage suddenly begin mass data extraction.
Anti-Forensic Behavior: Attackers deleted export jobs immediately after completion via API, rather than allowing the default multi-day retention period. This premature job deletion pattern provides another detection opportunity.
Security teams should focus on these critical events:
# EventNames
- UniqueQuery
- BulkApi2
- RestApi:/services/data/sobjects
- RestApi:/services/data/query
- RestApi:/services/data/limits
- RestApi:/services/data/jobs
- ApiTotalUsage:GET
- ApiTotalUsage:POST
- ApiTotalUsage:DELETE
- Login:oauthrefreshtoken
Organizations potentially affected by this breach should have taken immediate steps:
Beyond immediate response, organizations need to implement lasting improvements:
Enhanced Monitoring: Implement detection for unusual Bulk API usage from non-service accounts, establish baselines for vendor connections including IP ranges and user agents, and deploy monitoring for mass secret retrieval from cloud storage services like Secrets Manager and SSM.
Architectural Reviews: Reassess OAuth integration architectures, implement just-in-time access principles for sensitive operations, and segment customer tokens appropriately. IP based restrictions are also a great idea.
Logging Enhancement: Despite the cost, enable appropriate Salesforce logging tiers and implement log aggregation and correlation capabilities to overcome platform limitations.
This incident represents a paradigm shift in supply chain attacks, demonstrating a purely non-human identity compromise from start to finish. As noted in the analysis, this will likely become "the poster child" for NHI attacks because it's one of the few that is entirely NHI-based. Most NHI attacks begin with human identity compromise and escalate to machine identities. This case shows how attackers can operate entirely within the NHI space, bypassing traditional security controls focused on human user behavior.
Software vendors storing customer credentials must implement robust monitoring for secrets access in services like Secrets Manager and SSM. Organizations should ask themselves whether they would detect mass credential extraction from their own infrastructure. They need to segment customer tokens appropriately, monitor for unusual repository access patterns, and implement comprehensive audit logging for all credential access.
The SalesLoft breach exposes a troubling reality about security economics. Organizations face a difficult choice between paying substantial fees for basic security logging or accepting the risk of undetected breaches. This incident demonstrates that the cost of inadequate logging far exceeds the investment in proper visibility.
Attribution remains complex in this case. The group claiming to be ShinyHunters took credit via Telegram and asserted connections to Scattered Spider. However, all their claims were based on publicly available information with no private indicators. Mandiant has classified the activity under UNC6395 pending further investigation. The public nature of the claimed attribution raises questions about its validity and reminds us that attribution should not distract from detection and response priorities.
To assist with detection and analysis, our open-source Cloud Grappler tool has been updated to identify indicators associated with this campaign. The tool can analyze logs stored in AWS S3, Azure Blob Storage, and other cloud storage services.
Organizations using Permiso's platform have access to comprehensive detection rules covering the tactics, techniques, and procedures observed in this campaign, providing automated detection capabilities for similar attacks.
The SalesLoft breach serves as a critical case study for understanding modern supply chain compromises and the evolution of non-human identity attacks. Several key lessons emerge:
While the immediate impact has been contained through token revocation, the broader implications for how organizations protect and monitor machine identities will resonate throughout the industry. As supply chain attacks continue to evolve, organizations must balance the convenience of third-party integrations with robust security monitoring and response capabilities.
The cost and complexity of implementing adequate logging, particularly in platforms like Salesforce, remains a significant challenge that the industry must address collectively. Basic security events should be available as standard functionality, not premium features.
The question facing every organization is not whether similar attacks will occur, but whether they have the visibility and capabilities to detect and respond when they do. The SalesLoft breach provides a roadmap for both attackers and defenders. Organizations that learn from this incident and implement appropriate controls will be better positioned to defend against the next generation of supply chain attacks.
🎧 Listen to the full discussion on The Permiso Podcast
Episode 01: Tokens, Trust, and Takeovers - Inside the Salesloft Breach
Youtube | Apple Podcasts | Spotify | Amazon Music
This analysis is based on public reporting from SalesLoft, Mandiant, and Permiso's incident response experience. For more information about detecting and responding to supply chain compromises, contact the Permiso team.