salesloft drift-b4x

The Salesloft-Drift Breach: A Wake-Up Call for API Security

A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall. img_5105_720

By Chris Lentricchia & Mark Persidski

Oct 02, 2025

Attack Path: From Source Code to API Abuse

The recent Salesloft-Drift breach that compromised hundreds of organizations represents a new category of cyber threat that every security team needs to understand. This wasn’t a traditional hack; it was a sophisticated attack that exploited the very foundation of modern SaaS integrations: OAuth tokens and API trust relationships.

salesloft-diagram-

Here’s what happened: Attackers gained access to Salesloft’s GitHub account and maintained persistence for months before pivoting to their AWS environment, where they extracted OAuth tokens for Drift integrations and used them to query Salesforce APIs across hundreds of customer environments. Because these tokens provided legitimate access, the malicious activity looked indistinguishable from normal API usage.

The result was widespread data exfiltration, ongoing service disruptions, and a cascading impact across the entire SaaS ecosystem that’s still unfolding.

APIs as a Primary Attack Surface

APIs have evolved into the connective tissue of modern business operations. They enable the integrations that make SaaS platforms powerful, accelerate innovation cycles, and allow organizations to move at digital speed. This interconnectedness has created an expansive new attack surface that traditional security tools struggle to protect.

The numbers tell the story: According to Gartner, by 2025, more than 50% of data theft will be due to unsecure APIs. VentureBeat reports that API vulnerabilities are already costing businesses $75 billion annually. The Salesloft-Drift incident perfectly illustrates why these predictions are likely conservative.

Characteristics of API Exploitation

Three characteristics make API attacks particularly insidious:

  • APIs are trusted by design. Modern integrations require broad permissions to function effectively. When an attacker obtains legitimate credentials, they inherit all those permissions – making their activities nearly impossible to distinguish from authorized usage.
  • Malicious activity mimics normal behavior. The Salesloft attackers used automated Python tools with asynchronous libraries and Salesforce’s Bulk API – sophisticated techniques that would appear as routine integration activity to most monitoring systems.
  • Traditional security tools are blind to runtime API abuse. Static configuration scans and perimeter defenses can’t detect when valid tokens are being misused, especially when the abuse patterns mirror legitimate integration behavior.

Addressing the API Security Grey Zone

A persistent challenge in API security lies in what might be described as the “grey zone,” the space where traditional static scanning and isolated vulnerability assessments fall short of capturing runtime realities. Recent research and breach analyses indicate that effective API security requires coverage across the entire API lifecycle, incorporating both pre-deployment safeguards and runtime intelligence.

Continuous Monitoring and Data Awareness

Comprehensive API protection requires continuous, real-time observation of API calls, workloads, and microservices. Effective systems extend beyond traffic inspection to automatically identify and classify sensitive data, including personally identifiable information (PII), protected health information (PHI), and confidential business assets. By correlating API activity with identity context, process behavior, and data flows across network (L3), transport (L4), and application (L7) layers, such monitoring can surface anomalies that static or siloed tools frequently miss. This capability is essential for determining what data is at risk when an API is compromised.

CleanShot-2025-09-19-at-09.46.29@2x
Upwind improves security by inspecting payloads to identify sensitive data in transit. This data is then correlated with communications at the networking and application layers.

Proactive Vulnerability Testing

API security is strengthened by the ability to identify risky endpoints, misconfigurations, and exploitable weaknesses before attackers do. When vulnerability findings are contextualized with runtime behavior and data sensitivity, organizations gain a more accurate measure of impact than static risk scores alone can provide. This prioritization enables security teams to focus remediation where it most meaningfully reduces real-world exposure.

CleanShot-2025-09-19-at-09.50.20@2x
Upwind consistently performs vulnerability testing on APIs to pinpoint critical vulnerabilities at runtime.

Runtime-Enhanced Shift-Left Security

Integrating runtime-derived insights into CI/CD pipelines has emerged as a critical practice. For example, scanning GitHub repositories and container builds can be augmented by runtime simulation, which models API interactions and potential data exposure in pre-production environments. This form of proactive detection can mitigate the types of configuration issues that have historically contributed to high-profile breaches, such as the Salesloft incident.

CleanShot-2025-09-19-at-09.52.50@2x
Shift left, powered by runtime: Upwind identifies API risks and sensitive data exposure before deployment, using real-world runtime insights, not just static scans.

Consolidated Cloud-Native Protection

Finally, API security does not exist in isolation. Consolidation of security functions, including API protection, GenAI security, and cloud security posture management (CSPM), into unified frameworks reduces alert fatigue and enhances detection accuracy through correlation. A holistic perspective provides security teams with the context needed to recognize and respond effectively to complex, multi-vector attacks.

CleanShot-2025-09-19-at-09.55.18@2x
The Upwind Dashboard unifies your entire cloud environment, integrating APIs and Shift Left deployments.

Strategic Implications for Defenders

The Salesloft-Drift breach won’t be the last of its kind; it’s a preview of the API-focused attack landscape that’s rapidly emerging. As SaaS integrations become more complex and permissions more expansive, the gray zone will only grow larger.

With more than 23.8 million secrets detected in public commits in 2024 alone, the attack surface is expanding faster than traditional security approaches can adapt. Organizations need a fundamentally different approach to API security – one that provides transparency, accountability, and protection before, during, and after deployment.

Upwind changes the security equation by making APIs transparent and their usage accountable. Upwind platform doesn’t just detect when something goes wrong; it provides the context, correlation, and insight needed to prevent incidents like the Salesloft breach from succeeding in the first place.

The New Standard for API Protection

The Salesloft-Drift incident demonstrates how attackers can weaponize legitimate tokens and API trust pathways to conduct stealthy, large-scale data theft. With secrets exposure growing and SaaS ecosystems expanding, this type of threat will only accelerate.

Defending against it requires a security model that:

  • Extends visibility into runtime API behavior.
  • Identifies and classifies sensitive data in motion.
  • Detects misuse that blends into normal activity.
  • Brings runtime insights into development pipelines to catch risks earlier.

Traditional perimeter defenses are not sufficient. APIs now represent a critical gateway to cloud applications and enterprise data, and attackers are already exploiting the gray zone where trust and misuse converge.

Learn how Upwind’s comprehensive API security platform can protect your organization by booking a customized demo with us today.

The Salesloft-Drift Breach: A Wake-Up Call for API Security

Further Reading

Redis, Lua, and the Dangers In-Between-c
Research

Redis, Lua, and the Dangers In-Between

Moshe Hassan Upwind

By Moshe Hassan

Oct 09, 2025

On October 3rd, Redis published an advisory for a critical vulnerability in its Lua engine that could lead from a memory leak to remote code execution. It was initially, and surprisingly, assigned a CVSS 3.1 score of 10.0. While the score has since been debated and adjusted, the core issue remains: an attacker with privileges […]

npm shai hulud worm escalation
Research

npm Supply Chain Attack: Shai Hulud Worm Escalates August Nx Compromise

Eliad Mualem, Upwind 1736682434536

By Eliad Mualem & Tamir Boker

Sep 16, 2025

On September 16, 2025, a large-scale npm supply chain attack was discovered, which seems to be linked to the same threat actors behind the August 27 Nx compromise (under ongoing investigation). Dubbed Shai Hulud, this self-propagating worm has infected nearly 40 npm packages, including several from CrowdStrike, by harvesting secrets from CI/CD pipelines and cloud […]

murky-panda
Product, Research

MURKY PANDA and the Blind Spot in Modern Cloud Security

A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall.

By Chris Lentricchia

Sep 10, 2025

August 21, 2025 – CrowdStrike disclosed ongoing activity by MURKY PANDA, a state-aligned Chinese espionage group purpose-built for the cloud. Unlike many threat actors who adapt legacy tactics, MURKY PANDA designs operations around cloud-native infrastructure from the ground up. Their latest campaign combines a Linux malware strain, a Commvault zero-day exploit, and identity abuse in Microsoft […]

Footer-Logo-07_03_2025

Stay In Touch

This field is for validation purposes and should be left unchanged.

Product

CNAPP
CSPM
CWPP
Container Security
Identity Security
Vulnerability Management
DSPM
CADR
API Security
GenAI Security

General

About
Contact
Careers
We are hiring!
Events
Case Studies
Get A Demo

Social

X
LinkedIn
Instagram

Resources

UpwindTV
Feed
Glossary
Integrations
Newsroom

Documentation

Privacy Policy
Terms of Use

© 2025 Upwind Security