The AI Supply Chain: Lessons from the Drift Incident

The first major AI-adjacent SaaS supply-chain breach has arrived.

In August 2025, attackers exploited integrations tied to Salesloft’s Drift app, an AI chatbot and sales automation assistant, to compromise OAuth tokens and pivot into Salesforce and Google Workspace. 

This was not an LLM jailbreak or a chatbot hallucination leading to compromise. It was a supply chain event rooted in OAuth trust, API access, and the privileged integration scopes held by an AI tool. 

Here’s What Happened

Google’s Threat Intelligence Group and Mandiant trace the attack to threat actor UNC6395, who stole OAuth tokens tied to the Salesloft Drift app. Over the period August 8–18, 2025, these tokens were used to log into customer Salesforce instances, run SOQL queries, and exfiltrate data via the Bulk API. On August 20, Salesforce and Salesloft revoked all active Drift tokens and removed the app from AppExchange.

By August 28, Google had confirmed that OAuth tokens for the Drift Email integration were also stolen, accessing a small number of Google Workspace accounts. Google revoked the Workspace OAuth client ID and advised affected administrators.

This was not a breakdown of a language model or prompt-based exploit. It was an OAuth trust failure: attackers abused Drift’s integration privileges to access and export data from Salesforce and Workspace, an API-level compromise, not an AI model vulnerability.

Blast Radius: Organizations Affected and Data Exposed

The Drift breach had an unusually broad impact across the enterprise sector. Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, SpyCloud, and other cybersecurity vendors such as Proofpoint, Tanium, and Tenable publicly confirmed exposure through their Salesforce/Drift integrations. Industry reporting indicates that more than seven hundred organizations may have been affected.

Attackers accessed Salesforce support cases and CRM records, extracting not only case details and contact information but also embedded secrets such as AWS access keys and Snowflake tokens. To reduce the chances of detection, they deleted the Background Job artifacts that logged the export process.

Rather than deeply compromising a single environment, this breach was characterized by its breadth. A single AI-integrated platform, Drift, served as a trusted conduit into many tenants. In contrast to attacks like SolarWinds that involved deep system access, the Drift incident leveraged API-level access to extract data from multiple organizations simultaneously.

Timeline

• Aug 8–18, 2025: Adversary UNC6395 used stolen OAuth tokens from Salesloft Drift to access Salesforce orgs, run SOQL queries, and export data via Bulk API.
• Aug 20, 2025: Salesforce and Salesloft revoked Drift access and refresh tokens and removed the app from AppExchange.
• Aug 22, 2025: Rubrik confirms they were notified by Salesforce of anomalous activity tied to Drift integrations.
• Aug 23, 2025: Cloudflare reports it was notified of the incident and begins investigation. Their internal attack timeline confirms exfiltration occurred August 12–17.
• Aug 26, 2025: Google Threat Intelligence Group (GTIG) and Mandiant publish advisory detailing the scale of the attack and credential-harvesting tactics.
• Aug 28, 2025: GTIG releases update confirming compromised OAuth tokens for the Drift Email integration; advises that all Drift tokens must be considered compromised. Salesforce also disabled remaining Drift connections.
• Aug 29–Sep 3, 2025: Victim disclosures emerge: Cloudflare, Zscaler, PagerDuty, Palo Alto Networks, SpyCloud, and Tanium confirm exposure.

Why the Old Incident Response Discourse Doesn’t Work 

Some security leaders argue that every breach can be reduced to access or infrastructure. Either an attacker obtained valid credentials, or they exploited a system weakness. This is a common position in incident response discourse, where classification tends to focus on the category of failure rather than the tool involved. From that perspective, it makes little difference whether the entry point was an AI assistant, a payroll system, or a helpdesk app. The outcome is recorded as unauthorized access.

That framing misses how an AI assistant changes the scope of exposure. Drift carried broad OAuth permissions into Salesforce and, in some cases, Google Workspace. It lived inside support workflows where employees routinely pasted sensitive information, including cloud keys and data platform tokens. It also acted across domains on behalf of users. Those qualities turned a set of stolen tokens into a high-privilege pathway across many tenants.

This is where the AI supply chain lens belongs. Software supply chain security focuses on code, libraries, and build systems. AI supply chain security focuses on what happens in production when models, agents, plugins, APIs, and AI features are connected to real data and live accounts. These runtime elements create new trust relationships, and they concentrate permissions that span multiple systems. When an attacker compromises an AI assistant that holds those relationships, the result is not a single access failure. It is parallel exposure across the systems the assistant touches, including the secrets and records that pass through its workflows.

In the Drift incident, that meant three things: First, broad integration scopes allowed credentials and case data to be pulled at scale. Second, the presence of embedded secrets in everyday workflows turned case exports into potential cloud and data platform access. Third, the shared vendor model produced immediate breadth, since many organizations relied on the same assistant.

That combination is the hallmark of an AI supply chain event, and it explains why this incident cannot be collapsed into a simple access category.

Why AI SaaS Tools Raise Supply Chain Risk

The Drift breach highlights several reasons why AI SaaS tools must be treated as high-risk in the supply chain.

Privilege Concentration
AI chat and email assistants typically carry broad OAuth scopes spanning Salesforce, email, ticketing, and storage. That makes one vendor a pivot point into multiple core systems. Compromised tokens become especially dangerous in agentic contexts because they provide direct access to the APIs and data that autonomous agents rely on, enabling an attacker to operate across that full range of permissions without friction.

Secrets in Workflows
Support and sales cases often contain pasted cloud credentials. Exfiltrating case text can expose AWS keys, Snowflake tokens, and other sensitive data. In an agentic workflow, those tokens are embedded into dynamic, autonomous tasks. Once stolen, they allow attackers to impersonate agents, bypass MFA, and sidestep existing controls, often without human oversight or real-time monitoring.

Breadth Over Depth
Traditional implants aim for persistence inside one tenant. OAuth exploitation is designed for wide credential harvesting across many tenants, multiplying systemic risk. Agentic systems magnify this because tokens are not static access keys but embedded permissions inside evolving workflows. The same capabilities that make agents powerful — automation, creativity, unpredictability — can be abused by attackers at scale.

Perception and Oversight
Boards and regulators will treat incidents like Drift as “AI breaches.” Even though OAuth was the vector, the fact that the tool was AI-labeled changes perception, accountability, and urgency. Security teams cannot frame this as just another access incident. AI assistants must be managed as privileged vendors inside governance and vendor-risk frameworks.

Media and analysts have framed the incident in terms of its AI tool involvement. Even though the exploit was OAuth abuse, the fact that it was an AI tool changes how organizations approach vendor risk and AI governance.

OWASP’s View on AI Supply Chain Risk

OWASP, a leading authority on application security, emphasizes that AI supply chain risks go beyond defective code or outdated libraries. “They’re not just about libraries or packages. They’re about compromised models, poisoned datasets, and hidden backdoors in seemingly benign tools.” 

The Drift breach aligns with this definition. While the breach began with OAuth token theft, the core issue was that the attacker gained control of an AI assistant deeply embedded into enterprise workflows. That assistant had cross-domain reach and carried sensitive information, making this breach not just an access incident, but a disruption rooted in trust relationships and hidden dependencies.

Takeaways for CISOs and Security Teams

The Drift incident offers urgent lessons for enterprise security leaders.

1. Treat AI as High-Privilege Vendors: AI assistants are not harmless productivity widgets. They are third-party platforms with deep integration scopes. Apply least privilege to every OAuth grant.
2. Extend Vendor Risk Management to AI Supply Chain: Inventory every AI-adjacent integration. Review scopes, token TTLs, and app permissions. Require SSO and step-up authentication for sensitive actions. Integrate AI platforms into your vendor risk management framework.
3. Review Secrets Hygiene in SaaS Workflows: Search historical Salesforce cases and tickets for embedded secrets. Redact or remove them. Rotate exposed credentials immediately. Deploy DLP or redaction for future case entries.
4. Enhance SaaS Telemetry and Detection: Monitor for anomalous activity: large SOQL queries, bulk exports, cross-tenant patterns, and deletion of job artifacts. Ensure logs are immutable and export alerts are enabled.
5. Establish a Kill-Switch for Third-Party Apps: Maintain playbooks for rapid token revocation, client ID disabling, org-wide app disconnects, and emergency credential rotation. Speed of response matters.

Why This Matters Beyond SaaS Security

This incident should be seen as the first AI-adjacent supply-chain breach at scale. While the exploit was OAuth abuse, the perception will persist: AI tools were breached. Boards, regulators, and the public will hear “AI breach.” 

Enterprises must therefore:

• Communicate the technical details accurately.
• Frame AI assistants as privileged integration points.
• Update governance frameworks to explicitly include AI platforms in supply-chain risk.

AI adoption is accelerating across the enterprise. With every AI integration comes another OAuth trust relationship, another potential blast radius, and another vendor whose compromise becomes your compromise.

The Bottom Line

The Salesloft Drift incident is a wake-up call. AI assistants are not fringe tools; they are part of the enterprise SaaS supply chain. This breach was not about hallucinations or jailbreaks. It was about OAuth tokens, privileged integrations, and the ripple effects of compromised trust. For CISOs, the message is clear: treat AI assistants as part of your critical supply chain, or risk being blindsided by the next breach.

References

1. Google Threat Intelligence Group, & Mandiant. (2025, August 26). Widespread data theft targets Salesforce instances via Salesloft Drift. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift Google Cloud
2. Infosecurity Magazine. (2025, August 29). Salesloft attacks target Google Workspace. https://www.infosecurity-magazine.com/news/salesloft-attacks-target-google/ Infosecurity Magazine
3. Cloudflare. (2025, September 2). The impact of the Salesloft Drift breach on Cloudflare and our response. https://blog.cloudflare.com/response-to-salesloft-drift-incident/ The Cloudflare Blog
4. Zscaler. (2025, September 2). Salesloft Drift supply chain incident: Key details and Zscaler’s response. https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response Zscaler
5. Palo Alto Networks. (2025, September 2). Salesforce-connected third-party Drift application incident response. https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/ Palo Alto Networks
6. PagerDuty. (2025, August 29). Salesloft’s Drift integration security incident impacting some PagerDuty Salesforce data. https://www.pagerduty.com/blog/uncategorized/saleslofts-drift-integration-security-incident-impacting-some-pagerduty-salesforce-data/ PagerDuty
7. PagerDuty. (2025, August 29). Salesloft Drift data breach: Update to our customers. https://www.pagerduty.com/blog/news-announcements/salesloft-drift-data-breach-update-to-our-customers/ PagerDuty
8. SpyCloud. (2025, August 27). Security incident involving a third-party application. https://spycloud.com/newsroom/security-incident-involving-a-third-party-application/ SpyCloud
9. SpyCloud. (2025, September 1). Salesloft Drift incident: SpyCloud’s response. https://spycloud.com/newsroom/salesloft-drift-incident-spycloud-response/ SpyCloud
10. TechRadar Pro. (2025, September 3). Even Cloudflare isn’t safe from Salesloft Drift data breaches. https://www.techradar.com/pro/security/even-cloudflare-isnt-safe-from-salesloft-drift-data-breaches TechRadar
11. TechRadar Pro. (2025, September 3). Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack. https://www.techradar.com/pro/security/palo-alto-networks-becomes-the-latest-to-confirm-it-was-hit-by-salesloft-drift-attack TechRadar
12. ITPro. (2025, September 9). Salesloft Drift hackers had access to company GitHub account for months before attacks. https://www.itpro.com/security/cyber-attacks/salesloft-drift-hackers-had-access-to-company-github-account-for-months-before-attacks IT Pro
13. The Hacker News. (2025, August 29). Google warns Salesloft OAuth breach impacts all. https://thehackernews.com/2025/08/google-warns-salesloft-oauth-breach.html The Hacker News
14. Abnormal Security. (2025, September 5). When integrations become exploits: What the Salesloft Drift breach reveals. https://abnormal.ai/blog/salesloft-drift-oauth-attack Abnormal AI
15. SC Media / OWASP Gen AI Security Project Team; Spring, T. (2025, August). Inside an AI supply chain meltdown. https://www.scworld.com/feature/inside-an-ai-supply-chain-meltdown WIRED
16. CyberScoop. (2025, September 2). Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler. https://cyberscoop.com/salesloft-drift-attacks-cloudflare-palo-alto-networks-zscaler/