{"id":14765,"date":"2025-09-10T11:10:16","date_gmt":"2025-09-10T11:10:16","guid":{"rendered":"https:\/\/newestek.com\/?p=14765"},"modified":"2025-09-10T11:10:16","modified_gmt":"2025-09-10T11:10:16","slug":"what-the-salesloft-drift-breaches-reveal-about-4th-party-risk","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14765","title":{"rendered":"What the Salesloft Drift breaches reveal about 4th-party risk"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>The <a href=\"https:\/\/www.csoonline.com\/article\/4046407\/attackers-steal-data-from-salesforce-instances-via-compromised-ai-live-chat-tool.html\">recent SalesLoft Drift breaches<\/a> revealed an uncomfortable truth that keeps me up at night, and should keep every CISO awake, too. Organizations weren\u2019t breached through their vendor. They weren\u2019t even breached through their vendor\u2019s vendor. It appears they were compromised through their vendor\u2019s acquired company, referred to as a \u201cfourth-party,\u201d via legacy OAuth tokens that had been dormant for 18 months.<\/p>\n<p>As a point of fact, Drift historically integrated with both Salesforce (as a connected app) and Google Workspace (via its email integration). <a href=\"https:\/\/blog.vorlon.io\/salesloft-drift-breach-what-happened-how-to-protect-yourself\" target=\"_blank\" rel=\"noreferrer noopener\">In this incident<\/a>, attackers abused OAuth tokens associated with the Drift application to access Salesforce instances and accessed a limited number of Google Workspace accounts through the Drift email integration.<\/p>\n<p>Public disclosures have not confirmed whether any abused tokens predated Salesloft\u2019s 2024 acquisition of Drift. However, there is a real possibility that some tokens were legacy and inherited, which is an all\u2011too\u2011common scenario in M&amp;A. Regardless of token provenance, the risk pattern is clear.<\/p>\n<p>Welcome to the fourth-party breach era, where your attack surface extends far beyond anything you can see, assess or control through traditional security measures.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-breach-that-changed-everything\">The breach that changed everything<\/h2>\n<p>Let me paint you a picture of how this likely played out:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>February 2024:<\/strong> <a href=\"https:\/\/www.salesloft.com\/company\/newsroom\/salesloft-acquires-drift\" target=\"_blank\" rel=\"noreferrer noopener\">SalesLoft acquires Drift<\/a>, an AI-powered chatbot company<\/li>\n<li><strong>The hidden legacy:<\/strong> Drift\u2019s existing OAuth tokens to thousands of Salesforce and Google Workspace instances probably remained active<\/li>\n<li><strong>Time passes:<\/strong> Tokens and app permissions remain valid unless explicitly rotated or revoked.<\/li>\n<li><strong>August 2025:<\/strong> Attackers abuse OAuth tokens associated with the Drift application to enumerate and exfiltrate Salesforce data; a limited number of Google Workspace accounts are impacted via the Drift email integration (per <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/data-theft-salesforce-instances-via-salesloft-drift\" target=\"_blank\" rel=\"noreferrer noopener\">Google Threat Intelligence<\/a>,<a href=\"https:\/\/thehackernews.com\/2025\/08\/google-warns-salesloft-oauth-breach.html\" target=\"_blank\" rel=\"noreferrer noopener\"> The Hacker News<\/a>).<\/li>\n<li><strong>The result:<\/strong> Hundreds of organizations breached through a vendor relationship outside their control.\u00a0<\/li>\n<\/ul>\n<p>Many organizations lack complete runtime visibility into which connected apps and inherited integrations hold OAuth access to their environments, particularly after M&amp;A. That\u2019s a gap adversaries exploit, and a gap we must close.<\/p>\n<h2 class=\"wp-block-heading\" id=\"your-real-attack-surface-in-2025\">Your real attack surface in 2025<\/h2>\n<p>Here\u2019s what security teams think they\u2019re protecting:<\/p>\n<ul class=\"wp-block-list\">\n<li>Their SaaS applications<\/li>\n<li>Their approved vendor integrations<\/li>\n<li>Their documented third-party relationships<\/li>\n<\/ul>\n<p>Here\u2019s what they\u2019re actually exposed to:<\/p>\n<ul class=\"wp-block-list\">\n<li>Every company their vendors have acquired<\/li>\n<li>Every SaaS and AI tool integration those acquired companies ever created<\/li>\n<li>Every OAuth token that survived those acquisitions<\/li>\n<li>Every permission that nobody remembers granting<\/li>\n<\/ul>\n<p>Now, I\u2019ll put this in perspective with real numbers:<\/p>\n<p>Enterprises today operate sprawling SaaS estates. On average, large organizations manage <a href=\"https:\/\/sqmagazine.co.uk\/saas-statistics\/\" target=\"_blank\" rel=\"noreferrer noopener\">between 125 and 200 SaaS applications<\/a>, with some studies reporting higher counts when shadow IT is included. Each of those applications typically maintains <a href=\"https:\/\/sqmagazine.co.uk\/saas-statistics\/\" target=\"_blank\" rel=\"noreferrer noopener\">multiple third\u2011party\/API integrations<\/a> to function within enterprise workflows, often reaching low double\u2011digit connectors in mature stacks. Layered on top of this is steady consolidation: software M&amp;A activity across technology, media and telecommunications (TMT) has remained active in recent years, with many mid\u2011market SaaS vendors completing <a href=\"https:\/\/www.pwc.com\/gx\/en\/services\/deals\/trends.html\" target=\"_blank\" rel=\"noreferrer noopener\">a handful of acquisitions over five\u2011year periods<\/a>, inheriting integrations and permissions along the way.<\/p>\n<p>Put together, the math is sobering. Even at a conservative 150 apps and 5\u201310 integrations per app, most large enterprises are already managing roughly 750\u20131,500 integration links. When you add acquisition\u2011inherited OAuth connections and legacy permissions, exposure often reaches the thousands, resulting in an expanding fourth\u2011party attack surface that\u2019s largely invisible until it\u2019s exploited (<a href=\"https:\/\/sqmagazine.co.uk\/saas-statistics\/\" target=\"_blank\" rel=\"noreferrer noopener\">SQ Magazine<\/a>,<a href=\"https:\/\/www.pwc.com\/gx\/en\/services\/deals\/trends.html\" target=\"_blank\" rel=\"noreferrer noopener\"> PwC<\/a>).<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-ma-time-bomb-nobody-talks-about\">The M&amp;A time bomb nobody talks about<\/h2>\n<p>Every time a vendor in your supply chain makes an acquisition, you inherit a security debt you don\u2019t even know exists. Here\u2019s why this is so dangerous:<\/p>\n<h3 class=\"wp-block-heading\" id=\"oauth-tokens-dont-care-about-ownership\">OAuth tokens don\u2019t care about ownership<\/h3>\n<p>When SalesLoft acquired Drift, they inherited:<\/p>\n<ul class=\"wp-block-list\">\n<li>Active OAuth refresh tokens that never expire<\/li>\n<li>Broad permissions to customer Salesforce instances<\/li>\n<li>API access to Google Workspace environments<\/li>\n<li>Trust relationships that persist indefinitely<\/li>\n<\/ul>\n<p>These tokens don\u2019t check if the company still exists independently. They don\u2019t verify if the acquisition was completed. They just continue to work. Sometimes for years.<\/p>\n<h3 class=\"wp-block-heading\" id=\"the-visibility-black-hole\">The visibility black hole<\/h3>\n<p>Traditional vendor risk assessments ask questions like:<\/p>\n<ul class=\"wp-block-list\">\n<li>\u201cDo you have SOC 2 certification?\u201d<\/li>\n<li>\u201cWhat\u2019s your incident response plan?\u201d<\/li>\n<li>\u201cHow do you manage access controls?\u201d<\/li>\n<\/ul>\n<p>What they don\u2019t ask much or anything about acquisitions:<\/p>\n<ul class=\"wp-block-list\">\n<li>\u201cWhat companies have you acquired in the last 3 years?\u201d<\/li>\n<li>\u201cDid their OAuth integrations have access to sensitive data?\u201d<\/li>\n<li>\u201cAre those legacy tokens still active?\u201d<\/li>\n<li>\u201cCan you even enumerate all inherited permissions?\u201d<\/li>\n<\/ul>\n<p>The answer to that last question, by the way, is almost always \u201cno.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"why-this-changes-everything\">Why this changes everything<\/h2>\n<p>This isn\u2019t just another supply chain attack. It\u2019s a fundamental shift in how we think about SaaS security. Here\u2019s why:<\/p>\n<h3 class=\"wp-block-heading\" id=\"1-point-in-time-assessments-are-dead\">1. Point-in-time assessments are dead<\/h3>\n<p>Your vendor risk assessment from last quarter is already obsolete. In the time it took to complete it, your vendors made acquisitions, created new integrations and inherited permissions you\u2019ll never know about until they\u2019re exploited.<\/p>\n<h3 class=\"wp-block-heading\" id=\"2-the-perimeter-is-a-myth\">2. The perimeter is a myth<\/h3>\n<p>We\u2019ve been saying \u201cthere is no perimeter\u201d for years, but we still acted like we could define our vendor boundaries. The fourth-party reality means your perimeter extends infinitely through acquisition chains you can\u2019t see or control.<\/p>\n<h3 class=\"wp-block-heading\" id=\"3-trust-relationships-are-permanent\">3. Trust relationships are permanent<\/h3>\n<p>Once an OAuth token is granted, it can remain valid through acquisitions, bankruptcies, pivots and ownership changes. That startup you integrated with three years ago might now belong to a company you\u2019ve never heard of.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-path-forward\">The path forward<\/h2>\n<p>We can\u2019t solve this with questionnaires. We can\u2019t fix it with annual assessments. We need continuous, real-time visibility into the actual behavior of every OAuth token, every API connection and every data flow, regardless of who owns it today versus who owned it yesterday.<\/p>\n<p>This means we must:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Monitor behavior and data, not the vendor.<\/strong> Stop trusting vendor relationships. Start monitoring sensitive data flows. An OAuth token accessing an abnormally large volume of Salesforce data at 3 AM from a Tor exit node is suspicious, whether it belongs to a trusted vendor or not.<\/li>\n<li><strong>Assume infinite parties.<\/strong> Don\u2019t think in terms of third-party or fourth-party. Assume infinite parties. Your security posture should be based on zero-trust principles that verify every action, regardless of the trust chain.<\/li>\n<li><strong>Demand OAuth archaeology.<\/strong> Every organization needs to conduct what I call \u201cOAuth archaeology\u201d: digging through layers of integration sediment to understand what tokens exist, what sensitive data they can access and whether they should still be active.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"a-call-to-action-for-our-industry\">A call to action for our industry<\/h2>\n<p>The SalesLoft Drift breaches of 2025 taught us that your biggest security risk might be a company you\u2019ve never heard of, acquired by a vendor you trust, using tokens created before you were even their customer.<\/p>\n<p>The only solution is continuous, real-time monitoring of every API call, every data flow and every OAuth token, regardless of how many parties they are removed from your organization.<\/p>\n<p>The rules have changed. The fourth-party era is here. We need to fundamentally rethink how we secure our interconnected SaaS ecosystems.<\/p>\n<\/p>\n<p><strong>This article is published as part of the Foundry Expert Contributor Network.<\/strong><strong><br \/><\/strong><a href=\"https:\/\/www.csoonline.com\/expert-contributor-network\/\"><strong>Want to join?<\/strong><\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The recent SalesLoft Drift breaches revealed an uncomfortable truth that keeps me up at night, and should keep every CISO awake, too. Organizations weren\u2019t breached through their vendor. They weren\u2019t even breached through their vendor\u2019s vendor. It appears they were compromised through their vendor\u2019s acquired company, referred to as a \u201cfourth-party,\u201d via legacy OAuth tokens that had been dormant for 18 months. As a point&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14765\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14765","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14765","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14765"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14765\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14765"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14765"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14765"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}