Stack Attack – Breach by Association – Ep 527 

Ever feel like your tech stack is one shady character away from becoming a security nightmare? Yeah, same. In this episode, we dive headfirst into the murky waters of “breach by association,”where trusting one tool can accidentally invite the entire cybercriminal neighborhood into your data party. From APIs doing the digital equivalent of handing out spare keys, to sneaky GitHub repos spilling secrets like a leaky faucet, we unpack how this all went down. Spoiler: the AI-powered thieves were way too polite to trip any alarms.

In this episode:

Stack Attack – Breach by Association – Ep 527

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Stack Attack – Breach by Association

Drift and Salesloft are common tools layered on top of Salesforce. Businesses trust these tools to make their sales pipeline run smoothly.

What is Salesloft:

Salesloft is a sales engagement platform that helps sales teams manage outreach, follow-ups, and customer interactions more efficiently. Think of it as a personal assistant for every salesperson… except it’s software.

“Salesloft is the #1 sales engagement platform, helping B2B sellers get to “yes” quicker. Change The Game w/ The Platform Trusted by the World’s Best Sales Organizations.”

It can connect to several different tools but for the most part it is all about Salesforce for the majority of its clients.

How it integrates with Salesforce:

• Pulls in contact and lead info from Salesforce
• Lets reps send emails, make calls, and schedule meetings directly from within the platform
• Automatically logs those activities back into Salesforce
• Provides analytics and reporting on which messages work best

Why companies use it:

• Makes sales teams faster and more consistent
• Reduces manual data entry
• Improves follow-up timing (no more “Oh no, I forgot to email that lead”)

What is Salesloft + Drift:

Salesloft acquired Drift back in early 2024. Drift is a chatbot platform that integrates with various applications, including Salesforce, to help businesses convert website visitors into sales leads. Now, you start bringing some AI tools and other connections online with the API already connected to your data.

Drift Chatbot : Features, Pros, Cons, Pricing, Steps (2025)

When you do these kinds of API connections it is of great value. On the flip side realize you’re not just locking your front door, but leaving the back patio open for friends who bring friends.

Just like anything else along these lines you have to assess the risk of using it. To be useful, Salesloft and Drift need deep access to Salesforce data – contacts, leads, timelines, emails – which makes it a perfect conduit for attackers. But, the value is very high so you set it up and make the security you can control tight. The rest you have to count on the vendors (and their vendors) to take care of it. That part brings us to the boom in this story – an extensive breach.

What do we know about the Salesloft–Drift–Salesforce Stack Attack

March 2025: The Developer’s GitHub Account is Compromised

Source: Google + TechCrunch
A threat actor gains unauthorized access to a Salesloft developer’s private GitHub repository.
The repo contains OAuth integration code for how Salesloft and Drift interact with Salesforce.
This gives the attacker the blueprints for how to move within connected systems using legitimate access paths.

When they broke in here they didn’t just find the spare keys to your house, they also found the manual for your alarm system and floor plan.

Spring–Summer 2025: Attacker Builds a Custom AI Tool, “Precision”

Source: Google
The attacker creates a tool called “Precision,” designed to:

• Access connected Salesforce accounts via valid OAuth tokens from Drift and Salesloft
• Use AI to prioritize and extract valuable data (contacts, deals, business context). This tool mimics normal user/API behavior, avoiding detection.

It’s automated, quiet, and smart. Think of it as a data-mining Roomba – only it’s not cleaning your digital house, it’s robbing it.

May–July 2025: Quiet Exfiltration of Salesforce Data Begins

Source: Google + Cloudflare
The attacker uses stolen OAuth tokens to access Salesforce instances of real customers via integrations with Drift/Salesloft.
The access is valid and authorized, which makes it invisible to many traditional security tools.

Data stolen includes:

• Contact info
• Engagement activity
• Sales pipeline data
  Not passwords or sensitive PII — but highly actionable information for phishing and social engineering.

August 2025: Targets Begin to Detect the Breach

Source: Cloudflare
Cloudflare detects suspicious API access through Drift and Salesloft connections to their Salesforce instance.
They trace the activity and coordinate with Salesforce and Drift.

Other companies — including Tenable, Qualys, Rubrik, and Proton — begin internal investigations.

Early September 2025: Public Disclosure Begins

Source: TechCrunch, Proton, Help Net Security
TechCrunch broke the story publicly on September 8.
Salesloft confirms the attacker accessed customer data through Drift integrations.
Google, Salesforce, and others coordinate revocation of affected tokens and strengthen monitoring.

Current Status (as of September 8, 2025)

• Attack appears contained, but the exact scope is still being assessed by several affected companies
• OAuth tokens were rotated or revoked
• No evidence of Salesforce itself being exploited directly — the breach leveraged trusted connections
• Raises red flags about SaaS supply chain security, particularly how integrated apps can become weak points

How bad is it?

Confirmed Companies Affected by the Breach

(as of September 8, 2025)

1. Cloudflare

• Confirmed unauthorized access to their Salesforce data via Drift/Salesloft.
• Detected and reported suspicious behavior proactively.
• Emphasized that no customer or sensitive internal data was taken.

2. Qualys

• Cybersecurity company.
• Confirmed in multiple reports (including Help Net Security) as affected.
• No specific details disclosed about scope or data types.

3. Tenable

• Another big cybersecurity name.
• Confirmed impact; no customer-sensitive data believed to be exposed.
• Working with Salesforce to assess full scope.

4. Rubrik

• Enterprise data protection and backup company.
• Reported in the SecurityWeek and Infosecurity Magazine articles as affected.
• Details remain limited.

5. Proton (Proton Mail)

• Privacy-focused email and VPN provider.
• Wrote a very transparent blog post confirming impact.
• Said data taken included sales and marketing contact data — not end-user data.

Others Reported, But Not Yet Confirmed

A few reports suggest “more cybersecurity firms” have been impacted, but haven’t gone public yet. The language in SecurityWeek and Google Cloud’s blog hints that this could include:

• Companies in security software, cloud infrastructure, and email security
• Potentially more than a dozen organizations, per anonymous sources cited by TechCrunch and Google’s threat intel
• This is shaping up like a supply chain breach with a “quiet body count” — not everyone is coming forward (yet), especially if the exposed data wasn’t PII or regulated.

A stack attack can hit anyone

This breach didn’t start with Salesforce. Or Drift. Or even Salesloft.
It started with a GitHub repo tied to a Salesloft developer.
That’s three steps (or more) removed from the customer — and yet, that’s all it took.

Vendors of vendors of vendors can expose your data.
The breach chain looked like this:
GitHub → Salesloft → Drift → Salesforce → Your company data.
And all of it through legitimate, trusted, fully authorized connections.

Salesloft isn’t in trouble because they were hacked.
They’re facing reputational damage because:

• The attacker got in through a common but preventable vector (poor GitHub security).
• They didn’t detect the breach — a customer did.
• It took months before anyone knew what was happening.

If you’re writing code, you’re part of the attack surface now.
GitHub and source control systems aren’t just dev tools anymore – they’re attack targets.
Security teams need to treat developer credentials, tokens, and repos like production systems.
Because, well… that’s how attackers see them.

So what did we learn, kids? That your data is only as secure as the sketchiest tool in your stack. Whether it’s an overeager chatbot or a developer’s GitHub account that’s looser than a dollar store padlock, breaches can come from the most unexpected corners. Connecting apps without checking their friends is like letting your buddy crash on your couch… and finding out they brought a burglar with them.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.