The incident underscores how a single compromised integration can cascade across hundreds of organizations. To prevent similar attacks, companies should inventory third-party vendors, enforce least‑privilege for API tokens, and monitor logs for suspicious queries. Vendors, meanwhile, must maintain rigorous code‑repository security and disclose breaches promptly to limit downstream exposure.
In early 2025, the Salesloft integration for the Drift chatbot became the entry point for a large-scale supply-chain breach. Threat actors compromised the plugin’s GitHub account around March, secretly downloaded private repositories, and maintained access for months. They pivoted into the plugin’s Amazon Web Services environment and, using stolen OAuth tokens, accessed multiple customers’ Salesforce data, downloaded records and logs, and tried to cover their tracks by deleting evidence of queries and exports.
redsec.ninja 
Leave a comment