Introduction – Why this incident matters
The recent Salesloft breach involving it’s Drift plugin has impacted a number of organisation as a result of it’s integration with Salesforce. This is more than an isolated supplier failure. It is a reminder that today’s attack surface extends far beyond internal systems. The very SaaS tools that power collaboration, sales and customer engagement are now prime targets.
When a single compromised integration can expose sensitive customer data, disrupt operations and trigger regulatory attention, the risk is no longer theoretical. Boards and security leaders must ask: how resilient are we when a supplier is breached on our behalf?
This article is not a forensic rehash of incident reports. Instead, it distils the lessons CISOs and Heads of Cyber can take from this case to strengthen organisational resilience.
What happened – the anatomy of the attack
The breach unfolded as follows:
- Drift, a chat agent application, integrates into Salesloft as part of their offering.
- Salesloft integrates with Salesforce to provide customers with seamless tech stack integrations, giving it privileges to access customer data.
- Attackers compromised tokens used by Drift to authenticate with Salesforce.
- With those tokens, they gained API-level access and could read sensitive records such as tickets and cases.
In other words, compromise flowed through the SaaS chain:
Drift → Salesloft → Salesforce → customer data.
The technique – token theft – is significant. Unlike stolen passwords, tokens are designed to bypass repeated authentication. Once stolen, they allow attackers to operate invisibly within APIs, escalating privileges and blending into legitimate traffic.
Why this matters for cyber leaders
This incident reinforces three critical realities:
- SaaS vendors are part of the attack surface. Organisations often treat SaaS tools as “out of scope” once procured. In truth, every integration becomes an extension of the enterprise network.
- Perimeter controls are ineffective here. Firewalls and endpoint agents cannot stop an attacker armed with a stolen token and valid API calls. The defence must move up the stack.
- Trust cannot be static. Third-party integrations are too often “set and forget.” Continuous verification of what integrations do, how they authenticate, and what data they touch is essential.
For cyber leaders, this matters because SaaS breaches are high on regulators’ agendas. Under CAF 4.0, Cyber Security and Resilience Bill and NIS2, organisations must evidence not only their own resilience but also how they manage supplier risk.
Read our blog on how the Cyber Security and Resilience Bill will change supplier management for UK companies and public sector.
Lessons for defenders
CISOs and senior cyber leaders should draw four practical lessons:
Visibility
You cannot defend what you cannot see. Start with a clear inventory of where SaaS tokens are used, which APIs they access, and the scope of data they expose. Without this, response efforts will always lag.
Detection engineering
Generic out-of-the-box rules will miss these attacks. Build detection that looks for anomalous API behaviour. Such as unexpected data exfiltration, calls outside normal business hours, or API use from unrecognised geographies. Detection must be tied to the business process, not just technical indicators.
Supplier resilience
Suppliers differ in how openly they report incidents. Cloudflare’s transparent and timely disclosure in this case is an example of best practice. Organisations should demand clear incident reporting and escalation processes from SaaS vendors, and factor transparency into procurement decisions.
Containment planning
When integrations are abused, speed matters. Organisations must be able to pause, revoke or reconfigure integrations without crippling core operations. This means rehearsing scenarios and ensuring business continuity plans cover SaaS dependencies, not just on-premise infrastructure.
Strategic implications – what this tells us about resilience
Breaches are inevitable. What distinguishes resilient organisations is their ability to detect, contain and recover faster than adversaries can exploit their foothold.
The Salesforce – Salesloft breach highlights a blind spot: SaaS supply chain security. Most resilience strategies still focus on endpoints, servers and networks. Yet regulators are clear, frameworks such as CAF v4 and NIS2 expect integration risk to be addressed explicitly.
For boards, the lesson is straightforward: it is no longer enough for a CISO to evidence “endpoint resilience.” They must demonstrate integration resilience: the ability to withstand compromise in the SaaS supply chain.
This requires investment in:
- Continuous monitoring of SaaS activity, not just user logins.
- Detection engineering that is specific to how integrations behave in the organisation.
- Clear escalation routes between suppliers and internal responders.
- Metrics that prove these controls work and can be communicated confidently at board level.
Your resilience is only as strong as your weakest link and that link could be a simple as a SaaS integration. Attackers know that compromising a supplier is often quicker and quieter than breaching the enterprise directly.
Organisations must now review their SaaS exposure and ask hard questions:
- Do we know which integrations hold sensitive data?
- Do we have visibility into how tokens and APIs are used?
- Can we detect anomalous behaviour and respond immediately?
- Do our suppliers demonstrate the transparency we require?
Resilience is no longer about stopping every attack. It is about demonstrating to boards, regulators and the public that you can anticipate, absorb and recover from them. The Salesforce–Salesloft breach shows how quickly a trusted link can be turned against you.
Additional information on this report can be found through incident reports available from effected organisations including: