🔍AI RiskAtlas
← Real-world cases
Case study

Salesloft Drift OAuth supply-chain breach (UNC6395) — mass Salesforce data theft via an AI chat integration

Real-world incident26 Aug 2025🗺️ Tool-Using Agent

Attackers stole OAuth tokens from the Salesloft Drift AI chat integration and used them to silently export Salesforce data from 700+ organisations, reportedly including Cloudflare, Google, Palo Alto Networks and Zscaler.

Root cause — why it happened

Drift is an AI chat assistant many companies put on their websites. To do its job, it was given a standing 'master key' (an OAuth token) into each customer's Salesforce — the system that holds their sales and support records. Attackers got hold of those keys from the Drift side, then used them to log straight into hundreds of customers' Salesforce accounts and quietly copy out the data. Because the key already carried Drift's trust, no password prompt or extra check stood in the way. They were really hunting for other passwords and cloud keys hidden inside that data, to break in elsewhere.

Risks this case illustrates

Named in the standard (OWASP/ATLAS/NIST) lens. Click a highlighted component in the diagram below to see which risks attach where.

How it unfolded

UntrustedAgent coreOversightThe real worldscopes🧑User🎛️Orchestrator /Agent Loop🧠LLM🔐Identity &Permissions🔧Tool RuntimeHuman ApprovalGate🔌External APIs🗄️BusinessDatabase🌐UntrustedContent📝Audit Logging🌐UNC6395 (holdsstolen Drift🌐Attacker store(secret-scanned)
InstructionsDataActionsControl / decisionFeedback / logs
👆 Click a component to inspect its risks
SetupStep 1 / 7

A standing key into every customer's Salesforce

Long before the attack, each customer connected the Drift AI chat assistant to their Salesforce so it could read and write sales records on their behalf. That connection left a standing key — one that keeps working without anyone logging in again. Hundreds of companies had one.

⚙️The standing integration grant (illustrative)config
integration: Salesloft Drift (AI chat)
oauth_grant:
  scope: api, refresh_token, full      # broad; rarely minimised
  access_token: <bearer>                # short-lived but auto-renewed
  refresh_token: <bearer, long-lived>   # standing trust into the tenant
  bound_to: <none>                       # not IP/device/tenant-pinned
  mfa_required_on_use: false             # token carries existing trust
# Same shape replicated across 700+ customer Salesforce orgs.
Step 1 / 7

Controls & guardrails — what would have stopped it

Two things together would have blunted this. First, give the AI integration only the narrow access it truly needs, with keys that expire quickly — not a standing master key into everything. Second, watch how much data it pulls and be able to switch all its keys off in one move. Then a stolen key opens far less, for far shorter, and gets shut faster.

Preventive
  • Least-privilege identity & scoped credentials

    Doesn't prevent manipulation — only caps its reach. Hard to get right operationally; over-broad scopes are the common real-world failure.

  • Egress allowlisting & DLP on tool arguments

    Allowlists fight an open-ended channel; legitimate-but-broad destinations (any URL fetch, any email) are hard to constrain without breaking usefulness. Encoding can evade naive DLP.

  • MCP/plugin pinning, manifest hashing & re-review

    Review catches what reviewers understand; a subtle malicious directive can pass. Pinning helps only if you actually re-review on update rather than auto-accepting.

Detective
  • Runtime monitoring & anomaly detection

    Detects the anomalous, not the novel-but-subtle; high false-positive rates cause alert fatigue. Always a step behind a sufficiently quiet attacker.

  • Full-trace audit logging

    Logging is forensic, not preventive — it explains harm after the fact. Useless if no one reviews it or if the materialised context isn't captured.

Corrective
  • Governance: risk assessment, red-teaming & incident response

    Process reduces likelihood and speeds recovery but executes no technical control itself; weak follow-through makes it theatre.

Lessons

  • A third-party AI integration is a privileged non-human principal: its standing OAuth tokens are high-value targets, and one vendor-side compromise fans out across every tenant that trusts it.
  • OAuth bearer tokens are completed authentication — they ride existing trust and bypass MFA, so the control surface is scope, binding, lifetime, monitoring, and revocability, not a login prompt.
  • When access is legitimate, only volume and destination distinguish theft from normal use — instrument per-integration egress/query anomalies, not just authorisation.
  • Mass, fast revocation is the corrective that actually ends this class of incident; design integrations so all their tokens can be killed in one move.
  • Secrets stored as free text in CRM records turn a data breach into a credential-harvesting campaign — scan and purge them so a dump yields nothing live.

Proposals & gaps this case surfaced

Non-destructive suggestions for the library — proposed, not adopted.

✚ proposed guardrailThird-party AI-integration credential containment: minimise & bind OAuth grants, prefer short-lived tokens, monitor per-integration data egress, and keep a tested mass-revocation kill-switchAgent Access & Tool Control

Treat each third-party AI integration as a privileged non-human principal: issue least-scope, IP/device-bound, short-lived grants (avoid 'full' scope and standing long-lived refresh tokens), instrument the integration's data egress for volume/object-breadth/destination anomalies, and maintain a tested one-move revocation path for all of an integration's tokens so a single vendor-side compromise cannot fan out into hundreds of standing footholds.

This case shows a gap: a lot of guidance focuses on tricking the AI model, but here the AI was never tricked at all — its standing 'master key' into other systems was simply stolen and reused. We should treat that long-lived integration key as its own risk to manage: keep it small, short-lived, watched, and quick to switch off.

These surface as proposals across the Control Library and Risk Taxonomy; adopt them by hand when ready.

Practise the risk class — related scenarios

📧The Email That Gave Orders

A support email hides instructions — and the assistant obeys them

👂Overheard Through the Cache

A speed optimisation becomes a cross-tenant listening device

🏭Poisoning the Agent Factory

Compromise the pipeline that builds agents, and every new worker is born malicious

🪟Stealing the Model

Two doors to the same secret: reconstruct the model through its API, or just walk off with the weight file

🪤The Bug Report That Ran Code

A fake Sentry error report hijacks a developer's coding agent into running a shell command

📼The Compromised Flight Recorder

The forensic record is itself the attack surface — an agent's log is poisoned, then quietly rewritten

🔓The Model That Forgot to Say No

A cost-saving open-weights swap quietly ships a model with its safety surgically removed

🖼️The Picture That Whispered

A screenshot that's harmless at full size becomes an order once the system shrinks it

💤The Sleeper

A capable third-party model that behaves perfectly — until it sees the trigger

🎫The Stolen Session

An attacker captures the agent's bearer token — and inherits its authority

🔌The Tool With a Hidden Agenda

A trusted MCP email tool quietly BCCs every message to an attacker

🥸The Uninvited Agent

A forged peer registers on the agent directory — and the planner enlists it

🪪The Worker Who Spoke for the Boss

A poisoned web page hijacks a research agent — and the planner acts on its behalf

🖼️Zero-Click Leak by Picture

An inbox summary quietly ships a secret to an attacker's server

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗