When SaaS Trust Becomes a Threat: Insights from the Salesloft Drift Compromise

SecurityScorecard's STRIKE team describes a Salesloft breach where threat actors accessed Salesloft's GitHub and Drift's AWS to steal OAuth tokens from a Drift–Salesforce integration, enabling Salesforce API queries and exfiltration of customer contact and support data; the advisory maps MITRE ATT&CK techniques (e.g., T1199, T1550.001, T1213, T1567), warns of near-term phishing and social-engineering follow-on risk, and recommends revoking/rotating tokens, reviewing API/audit logs, and strengthening email defenses and training.