The Salesloft-Drift OAuth incident was a major security breach where attackers stole OAuth tokens from Salesloft’s development platform, which were then used to access customer data in connected applications like Salesforce and Google Workspace.
Attackers exploited the trust built into these integrations to exfiltrate customer information, leading many organizations to temporarily disable their Drift integrations and revoke credentials.
From August 8 to August 18, attackers exploited OAuth tokens in the Drift–Salesforce connector, slipping past MFA and hijacking trusted integrations (see Impact on Cyber Insurance Claims & Underwriting).
Roughly 700 organisations were caught up in the breach.
The attackers, identified as UNC6395, gained access by stealing OAuth tokens, which are digital credentials used to authorize third-party integrations.
These tokens were compromised through a combination of technical exploitation and social engineering, including voice phishing campaigns that tricked administrators into connecting malicious apps to their Salesforce portals.
What should have been a secure workflow integration turned into a skeleton key (see How AI is Transforming Cyber Insurance).
The unnerving part, according to KYND, is how ordinary business operations become conduits for risk.
SaaS integrations are meant to make life easier. Instead, they can morph into invisible backdoors stretching across dozens of companies, creating exposure that few insurers or clients even know exists.
At first the finger pointed only at Salesforce instances tied to Salesloft Drift. Now the picture looks broader.
Any platform using Drift may be vulnerable, meaning the blast radius could be much larger than assumed.
For cyber insurers, this episode underscores a grinding problem: N-th degree vendor risk. Traditional assessments struggle even with fourth-party suppliers.
Beyond that, visibility collapses. Manual due diligence cannot track dependencies buried five or six layers deep.
Underwriters end up pricing policies without grasping the full mesh of exposure hidden inside client ecosystems.
Cross-platform integrations only sharpen the edge. Vendors push for seamless connections across systems, and clients want unified workflows.
Each new link expands systemic risk, where one compromise ripples through an entire supply chain. What looks like operational efficiency for the client may be cascading risk for the insurer.
Losses here extend far beyond data theft. With stolen cloud credentials, attackers can trigger outages, infiltrate storage, or launch ransomware campaigns.
That multiplies the claim spectrum: forensic investigations, breach notifications, regulatory fines, lawsuits, downtime costs, and reputational fallout.
The lesson is brutal but clear. SaaS integrations and third-party access are no longer side notes in cyber risk assessments – they are central to portfolio stability.
Insurers already track patching and endpoint controls. Now they need insight into how policyholders manage vendor integrations, OAuth permissions, and connected platforms.
Without that lens, hidden risks keep stacking up until one breach rolls across an entire book of business.
The real problem wasn’t just one compromised tool, it was the way trusted integrations themselves became the attack surface. Companies lean heavily on SaaS platforms to tie workflows together.
That web of connections meant what looked like a single-point breach quickly became systemic, reaching across different vendors and potentially any platform integrated with Drift.
For insurers, the incident shows how opaque modern supply chains have grown. Risk doesn’t stop at first-tier providers. Dependencies stack up, hidden behind layers of APIs and third-party connectors.
When one token gets abused, the compromise doesn’t stay contained. It spills across platforms, magnified by the very integrations meant to improve efficiency.
The damage stretches well beyond data theft. Stolen AWS keys and Snowflake tokens can trigger cloud breaches, outages, or even ransomware.
That translates into costly investigations, compliance scrutiny, legal disputes, reputational harm, and business interruption. The breach illustrates that SaaS integrations can’t be treated as background noise in cyber risk.
They’re now central to exposure, and insurers who ignore them risk carrying hidden liabilities that only surface once an attack sweeps through their portfolios.
