Inside the SalesLoft Breach
Find Threat Talks on
Inside the SalesLoft Breach
SaaS was sold as safe — Inside the Salesloft Breach shows why it wasn’t.
Hosts Rob Maas and Luca Cipriano expose how long-lived OAuth tokens and trusted integrations turned Salesforce, Salesloft, and Drift into silent exfiltration channels.
The episode unpacks two real campaigns:
• Campaign 1: Vishing calls that tricked users into approving a trojanized Salesforce data loader — granting attackers OAuth access without MFA.
• Campaign 2: The Salesloft and Drift chain, where access to GitHub unlocked AWS credentials and downstream Salesforce tokens.
The result: bulk SOQL exports, deleted API job metadata, and over 700 affected organizations.
It’s a story of misplaced trust, silent breaches, and the cost of assuming SaaS means safety.
What You Will Learn from real example discussions:
- How OAuth became the breach enabler across connected apps.
- How attackers moved from GitHub → AWS → Salesforce.
- Practical Zero Trust actions: IP allowlists, app control, and token monitoring.
- How to close shared responsibility gaps before they’re exploited.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Luca Cipriano
Red Team & Cyber Threat Intelligence Program
ON2IT
Episode details
Rob and Luca start by explaining why CRMs are high-value targets — rich data, broad integration, and weak visibility. They walk through how voice-based social engineering led to staff authorizing a malicious app that issued tokens with refresh rights, enabling persistent access.
Once inside, attackers used VPNs and Tor to run bulk SOQL queries, exfiltrating CRM records while removing API job metadata to erase traces.
The second campaign pivoted from GitHub to AWS, exposing credentials that unlocked Salesloft and Drift integrations — a chain of trust turned into a chain of compromise.
You’ll learn why endpoint tools miss SaaS-based abuse, and how Zero Trust controls can make it visible and preventable.
Key takeaways include:
• Allowlisting IPs for specific integrations.
• Maintaining a clean app inventory.
• Monitoring active OAuth sessions and token scopes.
• Training staff to challenge unexpected voice-based requests.
The message is clear: cloud reduces infrastructure risk, but not accountability.
Your tokens, your apps, and your data paths, they remain your responsibility.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
