Incident Types: The types of cybersecurity incidents that have occurred include Breach and Ransomware.

Total Financial Loss: The total financial loss from these incidents is estimated to be $0.

Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with google threat intelligence group (gtig), and containment measures with revoked all active oauth access and refresh tokens, containment measures with removed drift app from salesforce appexchange, and remediation measures with re-authentication of drift-salesforce connections, remediation measures with review of salesforce objects for sensitive data, remediation measures with revocation of api keys, remediation measures with credential rotation, and communication strategy with direct notifications to affected customers, communication strategy with public advisories from salesloft and gtig, communication strategy with indicators of compromise (iocs) shared with admins, and enhanced monitoring with advisory to monitor salesforce objects for malicious activity, and incident response plan activated with yes (with assistance from google’s mandiant), and third party assistance with google’s mandiant (incident response unit), and containment measures with isolation of compromised github account, containment measures with revocation of stolen tokens, containment measures with restoration of salesforce integration, and recovery measures with salesforce integration restored (as of august 2024), and communication strategy with public disclosure via data breach page, communication strategy with media statements, and and third party assistance with cybersecurity firms (e.g., cloudflare, palo alto networks), third party assistance with legal counsel, third party assistance with forensic investigators, and containment measures with oauth token revocation, containment measures with disabling compromised integrations, containment measures with isolating affected systems, and remediation measures with token lifecycle management enhancements, remediation measures with zero-trust access controls for third-party integrations, remediation measures with expanded monitoring of oauth activity, and recovery measures with restoration of affected salesforce instances, recovery measures with customer notification and support, recovery measures with legal hold procedures for ediscovery, and communication strategy with public disclosure (via haystackid/complexdiscovery), communication strategy with customer advisories, communication strategy with regulatory notifications, and network segmentation with isolation of compromised saas integrations, and enhanced monitoring with real-time oauth token activity monitoring, enhanced monitoring with anomalous api call detection, and incident response plan activated with forensic investigations, incident response plan activated with customer notifications, incident response plan activated with integration audits, and third party assistance with likely (not specified), and containment measures with token revocation, containment measures with access restrictions, containment measures with ip allow-listing (okta), and remediation measures with credential rotation, remediation measures with integration lifecycle reviews, remediation measures with security control enhancements, and recovery measures with system restorations, recovery measures with customer trust rebuilding, and communication strategy with public disclosures, communication strategy with customer advisories, communication strategy with transparency reports, and network segmentation with recommended for ai applications, and enhanced monitoring with ai behavior baselining, enhanced monitoring with anomaly detection for data access patterns, and remediation measures with enforcing api permission controls, remediation measures with auditing third-party integrations, remediation measures with multi-factor authentication (mfa) enforcement, remediation measures with sanitizing development repositories, and and containment measures with domain seizure (breachforums.hn, tor site), containment measures with fbi/french authorities intervention, and incident response plan activated with partial (5,000 user credentials rotated, but nhi token overlooked), and and and containment measures with token revocation (post-incident), containment measures with token revocation (post-discovery of compromise), and and and and and and and and third party assistance with riskprofiler (ai-powered tprm solutions), and remediation measures with ai-powered third-party risk monitoring, remediation measures with autonomous attack path mapping, remediation measures with streamlined third-party risk questionnaires, remediation measures with real-time vendor portfolio breach detection, remediation measures with prioritized threat alerts for fast response, and communication strategy with advisories on proactive third-party risk management, communication strategy with mssp-focused mitigation guidance, and enhanced monitoring with continuous vendor security posture monitoring, enhanced monitoring with ai-driven anomaly detection..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Stolen OAuth tokens (Drift app integration with Salesforce), Salesloft GitHub Account, Compromised Salesloft GitHub Account (March–June 2025), Salesloft Internal GitHub Repository, Social Engineering (Vishing) → Malicious Salesforce Integrations, Compromised OAuth tokens (Drift-Salesforce integration)Exposed GitHub API token (public repository)Orphaned API token (Okta service account) and Salesloft compromise (token theft).

Average Financial Loss: The average financial loss per incident is $0.00.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credentials (Aws Access Keys, Passwords), Snowflake Access Tokens, Salesforce Object Data (Cases, Accounts, Users, Opportunities), Potential Gcp Service Account Keys, , Authentication Tokens (Oauth), Aws Access Keys, Passwords, Snowflake Access Tokens, Support Ticket Data, , Crm Data, Support Case Records, Credentials (Api Keys, Passwords), Business Communications, , Customer Conversation Logs, Contact Information, Api Credentials, Salesforce Data, , Crm Data (Customer Leads, Deal Details), Oauth Tokens, Credentials/Access Keys, Operational Confidential Information, , Corporate Files, Potentially Pii (Unspecified), , Crm Data (Salesforce), Aws Keys, Snowflake Tokens, Internal Source Code (270 Gb), Proprietary Data, Atlassian Suite Data (Jira, Confluence, Bitbucket), , Authentication Tokens (Salesforce Drift), Potential Cascading Data Exposure and .

Incident Response Plan: The company's incident response plan is described as Yes (with assistance from Google’s Mandiant), , Forensic Investigations, Customer Notifications, Integration Audits, , Partial (5,000 user credentials rotated, but NHI token overlooked), .

Third-Party Assistance: The company involves third-party assistance in incident response through Google Threat Intelligence Group (GTIG), , Google’s Mandiant (Incident Response Unit), , Cybersecurity Firms (e.g., Cloudflare, Palo Alto Networks), Legal Counsel, Forensic Investigators, , Likely (Not Specified), , , RiskProfiler (AI-powered TPRM solutions), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: re-authentication of Drift-Salesforce connections, review of Salesforce objects for sensitive data, revocation of API keys, credential rotation, , Token Lifecycle Management Enhancements, Zero-Trust Access Controls for Third-Party Integrations, Expanded Monitoring of OAuth Activity, , Credential Rotation, Integration Lifecycle Reviews, Security Control Enhancements, , Enforcing API Permission Controls, Auditing Third-Party Integrations, Multi-Factor Authentication (MFA) Enforcement, Sanitizing Development Repositories, , , AI-powered third-party risk monitoring, autonomous attack path mapping, streamlined third-party risk questionnaires, real-time vendor portfolio breach detection, prioritized threat alerts for fast response, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by revoked all active oauth access and refresh tokens, removed drift app from salesforce appexchange, , isolation of compromised github account, revocation of stolen tokens, restoration of salesforce integration, , oauth token revocation, disabling compromised integrations, isolating affected systems, , token revocation, access restrictions, ip allow-listing (okta), , domain seizure (breachforums.hn, tor site), fbi/french authorities intervention, , token revocation (post-incident), token revocation (post-discovery of compromise) and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Salesforce Integration Restored (as of August 2024), , Restoration of Affected Salesforce Instances, Customer Notification and Support, Legal Hold Procedures for eDiscovery, , System Restorations, Customer Trust Rebuilding, , .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Class-Action Lawsuits (e.g., against Salesforce), Regulatory Investigations (Expected), , Expected (Not Yet Filed), , domain seizures by FBI/French authorities, , None, None, None, .

Key Lessons Learned: The key lessons learned from past incidents are Timely detection of reconnaissance activities is critical (6-month delay in this case).,OAuth token security and rotation policies require stricter controls.,GitHub account security (e.g., MFA, access reviews) must be prioritized to prevent supply chain risks.,Third-party integrations (e.g., Salesforce) can amplify breach impact; segmentation and monitoring are essential.OAuth tokens require the same security rigor as passwords, including MFA and regular rotation.,Third-party integration security must be elevated to a board-level priority with dedicated oversight.,Supply chain risks extend beyond direct vendors to fourth/fifth-party SaaS ecosystems.,Anti-forensics techniques (e.g., log deletion) can delay detection, necessitating enhanced monitoring.,Data shared via external platforms (e.g., chatbots) may contain sensitive information requiring classification and protection.,eDiscovery preparedness must account for multi-platform, cross-jurisdictional breach responses.AI integrations expand attack surfaces beyond traditional perimeters,Trust-based architectures create detection blind spots for AI-powered exfiltration,Authentication tokens for AI systems must be treated as crown jewels,IP allow-listing and geographic restrictions are critical for high-privilege AI tokens,Integration lifecycle management is essential to prevent stale credential exposure,AI behavior baselining is necessary to detect anomalous data access patterns,Third-party AI vendors introduce supply chain risks that require defense-in-depthSocial engineering (vishing) remains a critical attack vector for initial access.,Over-permissive API/OAuth tokens create extensive lateral movement risks.,Third-party integrations (e.g., Salesloft, Drift) expand attack surfaces in SaaS ecosystems.,Credential hygiene (e.g., GitHub repositories) is a persistent weak point.,RaaS models enable scalable extortion campaigns with lower technical barriers.Cybercriminal forums remain resilient despite law enforcement takedowns, adapting to alternative platforms (e.g., Telegram).,Destruction of database backups can disrupt cybercriminal operations but may not fully deter them.,Collaboration between international law enforcement (FBI/French authorities) is critical for disrupting cybercriminal infrastructure.,Companies must assume leaked data will be exploited even if initial leak attempts are thwarted.Non-human identities (NHIs) such as OAuth tokens, API keys, and service accounts are high-value targets for attackers due to their broad privileges and lack of oversight. Organizations must extend identity security controls to include NHIs, not just human users.,Publicly exposed API tokens can act as unguarded backdoors, granting attackers direct access to sensitive systems without needing to bypass interactive login protections. Token hygiene (e.g., avoiding public exposure, enforcing least privilege) is critical.,Orphaned or unrotated service credentials can undermine incident response efforts. Even after rotating human credentials, overlooked NHIs can provide attackers with persistent access. Comprehensive credential rotation must include all identities—human and non-human.,Dynamic SaaS Security Platforms are essential for discovering, monitoring, and securing NHIs. Traditional identity controls are insufficient for the scale and complexity of machine identities in modern SaaS environments.Supply chain breaches can cascade rapidly across interconnected systems.,Manual vendor risk assessments are insufficient for modern threat landscapes.,AI-powered continuous monitoring is critical for detecting shadow IT and third-party exposures.,MSSPs must prioritize extended vendor relationship oversight beyond immediate suppliers.,Proactive threat visibility and autonomous remediation are key to mitigating third-party risks.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: The Register, and Source: Google Threat Intelligence Group (GTIG) Advisory, and Source: Salesloft Advisory, and Source: TechCrunchUrl: https://techcrunch.comDate Accessed: 2024-09-01T00:00:00Z, and Source: Salesloft Data Breach PageDate Accessed: 2024-08-26T00:00:00Z, and Source: Google Threat Intelligence Group (Mandiant)Date Accessed: 2024-08-01T00:00:00Z, and Source: DataBreaches.netUrl: https://www.databreaches.netDate Accessed: 2024-08-30T00:00:00Z, and Source: Bleeping ComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2024-08-28T00:00:00Z, and Source: HaystackID/ComplexDiscovery OÜDate Accessed: 2025, and Source: Incident Analysis Report (Hypothetical), and Source: Cybersecurity Article (Title Not Provided), and Source: BleepingComputer, and Source: CyberInsider, and Source: TechRadarUrl: https://www.techradar.com, and Source: Reco Blog: 'The Hidden Risk of Non-Human Identities in SaaS', and Source: Author: Gal Nakash (CPO and Cofounder, Reco), and Source: RiskProfiler Guest Blog, and Source: IBM Cost of a Data Breach Report 2025.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Direct Notifications To Affected Customers, Public Advisories From Salesloft And Gtig, Indicators Of Compromise (Iocs) Shared With Admins, Public Disclosure Via Data Breach Page, Media Statements, Public Disclosure (Via Haystackid/Complexdiscovery), Customer Advisories, Regulatory Notifications, Public Disclosures, Customer Advisories, Transparency Reports, Advisories On Proactive Third-Party Risk Management and Mssp-Focused Mitigation Guidance.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Direct Notifications To Affected Customers, Public Advisories With Iocs, Urged To Treat Salesforce Data As Compromised If Using Drift Integration, Recommended Immediate Remediation Steps, , Public Disclosure Via Salesloft’S Breach Page; Likely Private Notifications To Affected Customers (E.G., Bugcrowd, Cloudflare)., Customers Advised To Rotate Credentials, Review Salesforce Access Logs, And Monitor For Unauthorized Activity., , Customer Notifications Issued, Regulatory Disclosures In Progress, Legal Counsel Engaged For Litigation Preparedness, Guidance On Password/Token Rotation, Recommendations For Monitoring Suspicious Activity, Support For Affected Crm Data, , Customer Notifications Issued, Industry-Wide Alerts Recommended, Security Bulletins, Remediation Guidance, Compromised Data Notifications, , Mssps Urged To Adopt Proactive Third-Party Risk Strategies, Organizations Advised To Audit Third-Party Integrations And Token Security and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Google Threat Intelligence Group (Gtig), , Advisory To Monitor Salesforce Objects For Malicious Activity, , Google’S Mandiant (Incident Response Unit), , Cybersecurity Firms (E.G., Cloudflare, Palo Alto Networks), Legal Counsel, Forensic Investigators, , Real-Time Oauth Token Activity Monitoring, Anomalous Api Call Detection, , Likely (Not Specified), , Ai Behavior Baselining, Anomaly Detection For Data Access Patterns, , , , Riskprofiler (Ai-Powered Tprm Solutions), , Continuous Vendor Security Posture Monitoring, Ai-Driven Anomaly Detection, .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Token Revocation, App Removal From Marketplace, Enhanced Customer Guidance On Credential Hygiene, , Enhanced Logging And Alerting For Github Actions (E.G., User Additions, Workflow Changes)., Implementation Of Token Expiration Policies And Real-Time Revocation Capabilities., Third-Party Security Audits For Cloud And Integration Environments., Customer Notification Protocols For Supply Chain Incidents., , Mandate **Mfa For All Oauth Token Usage** And Treat Tokens As High-Value Credentials., Implement **Real-Time Monitoring** For Anomalous Oauth/Api Activity With Automated Alerts., Enforce **Least-Privilege Access** For Third-Party Integrations, Regularly Auditing Permission Scopes., Develop **Dedicated Supply Chain Risk Management Programs** For Saas Ecosystems., Enhance **Log Retention And Anti-Tampering Controls** To Prevent Evidence Destruction., Establish **Cross-Vendor Incident Response Playbooks** For Coordinated Breach Handling., Integrate **Information Governance** With Cybersecurity To Classify And Protect Data In Shared Environments., Conduct **Regular Red-Team Exercises** Targeting Third-Party Integration Attack Surfaces., , Mandatory Ip Allow-Listing For All Integration Tokens, Implementation Of Just-In-Time Access For Ai Systems, Enhanced Credential Rotation Policies With Automated Enforcement, Ai-Specific Anomaly Detection For Data Access Patterns, Supply Chain Security Reviews For All Ai Vendors, Integration Lifecycle Management Automation, Zero-Trust Architecture Adoption For Ai Ecosystems, Reduced Token Permissions To Least-Privilege For Ai Integrations, , Mandatory Mfa For All Saas And Cloud Access., Automated Credential Scanning In Code Repositories., Reduced Oauth Token Permissions And Scope., Enhanced Behavioral Analytics For Api/Oauth Usage., Employee Training On Social Engineering Tactics., , Strengthen Vendor Security Assessments For Platforms Handling Sensitive Data., Improve International Coordination For Takedowns Of Cybercriminal Infrastructure., Develop Strategies To Mitigate Data Leaks Even After Initial Disruption Of Threat Actor Operations., , Adopt A **Dynamic Saas Security Platform** To Automate Discovery, Monitoring, And Remediation Of Nhis., Implement **Least Privilege Enforcement** For All Nhis, Auditing And Restricting Access Scopes To The Minimum Required., Deploy **Real-Time Anomaly Detection** For Nhi Behavior, With Automated Responses To Suspicious Activity (E.G., Token Revocation)., Establish **Automated Credential Rotation** For Nhis, Ensuring Tokens And Keys Are Regularly Refreshed And Unused Credentials Are Disabled., Conduct **Comprehensive Nhi Inventories** Across All Saas Applications, Classifying Identities By Type And Risk Level., Integrate **Nhi Security Into Iam Strategies**, Treating Machine Identities With The Same Rigor As Human Accounts., Enforce **Compensating Controls** For Nhis (E.G., Ip Restrictions, Session Monitoring) Where Mfa Is Not Applicable., Educate Security And Devops Teams On The Risks Of Nhis And The Importance Of Token Hygiene (E.G., Avoiding Hardcoding, Public Exposure)., , Deploy Ai-Driven Tprm Solutions For Continuous Monitoring., Implement Autonomous Vendor Risk Questionnaires With Real-Time Updates., Map And Secure All Attack Paths In The Supply Chain Ecosystem., Enhance Token Security And Third-Party Access Controls., Adopt Peer Benchmarking To Identify Vendor Compliance Gaps., .

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was Yes (Extortion via Tor Leak Site).

Last Attacking Group: The attacking group in the last incident were an UNC6395 (for Salesloft Drift incidents)ShinyHunters (UNC6240) (for separate Salesforce incidents), UNC6395 (per Google Threat Intelligence Group)ShinyHunters (alleged), UNC6395GRUB1 (Cloudflare designation), Scattered Lapsus$ Hunters (fusion of ShinyHunters, Scattered Spider, and Lapsus$), Scattered Lapsus$ Hunters and .

Most Recent Incident Detected: The most recent incident detected was on 2024-08-01T00:00:00Z.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-10-03.

Most Recent Incident Resolved: The most recent incident resolved was on 2024-08-26T00:00:00Z.

Highest Financial Loss: The highest financial loss from an incident was [None, None, None].

Most Significant Data Compromised: The most significant data compromised in an incident were Salesforce objects (cases, accounts, users, opportunities), AWS access keys, passwords, Snowflake-related access tokens, potential Google Cloud Platform service account keys, , Authentication Tokens (OAuth), AWS Access Keys, Passwords, Snowflake-Related Tokens, Support Ticket Data (via Salesforce), , Customer Relationship Management (CRM) Data, Support Case Information, Sensitive Credentials (API keys, passwords), Business Communications, , Customer Conversation Data, Contact Information, Authentication Tokens (Including OpenAI API Credentials), Salesforce Instance Data, , Customer Leads, Deal Details, Confidential Operational Information, OAuth Tokens, Third-Party Integration Data, , , Salesforce CRM data (including AWS keys and Snowflake tokens from support case attachments), 270 GB of internal source code and data, Access to Cloudflare's Atlassian suite (Jira, Confluence, Bitbucket), , authentication tokens (Salesforce Drift), potential customer data (via cascading breaches) and .

Most Significant System Affected: The most significant system affected in an incident were Salesforce databases (via Drift integration)Drift app and Salesloft GitHub AccountSalesloft AWS Cloud EnvironmentDrift’s AI/Chatbot PlatformCustomer Salesforce Instances (e.g., Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, Tenable) and Salesforce Instances (700+ organizations)Drift Chatbot IntegrationGitHub Account (initial compromise) and Salesloft GitHub RepositoriesDrift Cloud ApplicationConnected Salesforce InstancesOpenAI API Integrations and Salesforce EnvironmentsSalesloft (Sales Engagement Platform)Drift AI ChatbotGitHub RepositoriesAWS Cloud Environments and Salesforce CRM (via Drift integration)GitHub (New York Times' cloud code repository)Atlassian Suite (Jira, Confluence, Bitbucket) and SalesforceCloudflaremultiple unnamed enterprises.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was google threat intelligence group (gtig), , google’s mandiant (incident response unit), , cybersecurity firms (e.g., cloudflare, palo alto networks), legal counsel, forensic investigators, , likely (not specified), , , riskprofiler (ai-powered tprm solutions), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were revoked all active OAuth access and refresh tokensremoved Drift app from Salesforce AppExchange, Isolation of Compromised GitHub AccountRevocation of Stolen TokensRestoration of Salesforce Integration, OAuth Token RevocationDisabling Compromised IntegrationsIsolating Affected Systems, Token RevocationAccess RestrictionsIP Allow-Listing (Okta), domain seizure (breachforums.hn, Tor site)FBI/French authorities intervention and Token revocation (post-incident)Token revocation (post-discovery of compromise).

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Access to Cloudflare's Atlassian suite (Jira, Confluence, Bitbucket), Deal Details, passwords, authentication tokens (Salesforce Drift), Contact Information, Customer Conversation Data, Third-Party Integration Data, Business Communications, Salesforce objects (cases, accounts, users, opportunities), AWS access keys, Customer Leads, Passwords, 270 GB of internal source code and data, Authentication Tokens (Including OpenAI API Credentials), Sensitive Credentials (API keys, passwords), potential customer data (via cascading breaches), Customer Relationship Management (CRM) Data, Support Case Information, potential Google Cloud Platform service account keys, Confidential Operational Information, OAuth Tokens, AWS Access Keys, Salesforce CRM data (including AWS keys and Snowflake tokens from support case attachments), Support Ticket Data (via Salesforce), Snowflake-Related Tokens, Snowflake-related access tokens, Salesforce Instance Data and Authentication Tokens (OAuth).

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 0.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was [None, None, None].

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Class-Action Lawsuits (e.g., against Salesforce), Regulatory Investigations (Expected), , Expected (Not Yet Filed), , domain seizures by FBI/French authorities, , None, None, None, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Proactive threat visibility and autonomous remediation are key to mitigating third-party risks.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Integrate threat intelligence tools to map attack paths and prioritize containment., Implement **unified visibility** of all non-human identities (OAuth apps, API keys, service accounts, bots) across SaaS applications using automated discovery tools., Educate teams on the risks of NHIs and integrate NHI security into broader **identity and access management (IAM)** strategies., Automate vendor risk questionnaires with dynamic updates for real-time compliance., Revoke and rotate compromised API keys and credentials, Law enforcement should prioritize tracking Scattered Lapsus$ Hunters' new communication channels (e.g., Telegram)., Adopt zero-trust principles for AI system authentications, Automate **credential rotation and expiration** for all NHIs. Use platforms that detect stale tokens, rotate secrets regularly, and disable unused credentials., Adopt zero-trust principles for SaaS and cloud environments., Maintain a **real-time inventory** of third-party integrations, especially those connected via user consent (OAuth), and verify their legitimacy and security posture., Invest in **automated anomaly detection** for OAuth token usage and API activity., Enforce geographic restrictions on API access, Adopt agentic AI for contextual learning and adaptive risk scoring., Conduct thorough investigations for signs of lateral movement or further compromise, Store high-privilege credentials in encrypted vaults or HSMs, Adopt **zero-trust access controls** for all third-party integrations, treating them as untrusted by default., Rotate OAuth tokens and API keys automatically with short lifespans, Enforce MFA for all critical systems, including third-party integrations., Prepare incident response plans for data leaks originating from cybercriminal forums., Conduct **regular audits** of NHI permissions and usage context. Classify NHIs by type (e.g., integrations, AI assistants, RPA bots) to tailor risk controls appropriately., Enhance incident response coordination with customers in supply chain scenarios to mitigate downstream impacts., Replace manual Excel-based assessments with autonomous, real-time systems., Integrate **information governance** with cybersecurity to classify and protect data in SaaS environments., Educate employees on vishing and social engineering tactics., Implement IP allow-listing for all AI integration tokens, Use time-based access windows for sensitive integrations, Train employees on **secure data-sharing practices** via external platforms (e.g., chatbots, support tools)., Adopt zero-trust principles for third-party integrations (e.g., Salesforce, AWS)., Conduct **regular audits** of third-party integrations and their permission scopes., Audit integration lifecycles to deactivate unused or former vendor connections, Implement strict API/OAuth permission controls and regular audits., Conduct regular red-team exercises to test detection capabilities for reconnaissance and lateral movement., Enhance third-party risk management for vendors like Salesloft/Salesforce., Enable continuous monitoring of vendor security postures, including multi-tier suppliers., Monitor for unauthorized access or abuse of stolen secrets, Expand **third-party risk assessments** to include fourth/fifth-party SaaS dependencies., Conduct red-team exercises specifically targeting AI integration pathways, Benchmark vendor security against industry peers to identify gaps., Implement continuous monitoring for GitHub and cloud environments to detect anomalous activities (e.g., guest user additions, workflow changes)., Enhance OAuth token security and third-party app integrations, Enforce least-privilege access and regular token rotation for OAuth and API integrations., Disable **orphaned or ghost NHIs** (credentials not tied to active workflows or users), as these are prime targets for attackers., Apply **compensating controls** for NHIs where MFA is not feasible (e.g., IP restrictions, scoped access, session monitoring)., Establish **pre-negotiated breach response protocols** with vendors, including liability frameworks., Enhance **legal hold procedures** for multi-tenant cloud environments to ensure evidence integrity., Monitor for unusual AI data consumption patterns (spikes, off-hours, unusual sources), Monitor for anomalous OAuth token usage and lateral movement., Leverage **Dynamic SaaS Security Platforms** (e.g., Reco) to automate detection, response, and remediation for NHI-related risks, including token revocation and integration quarantine., Develop **cross-platform visibility tools** to track data flows across interconnected systems., Segment networks to limit blast radius from compromised integrations., Review Salesforce objects for sensitive data and secrets, Treat AI vendors as part of your critical supply chain with corresponding security reviews, Enforce **least privilege** for NHIs by auditing and restricting overly permissive access scopes. Ensure integrations and tokens can only access the data they explicitly require., Monitor dark web/Telegram channels for leaked data related to the breach., Monitor hidden dependencies (subsidiaries, partners) to prevent cascading disruptions., Implement AI-powered third-party risk management (TPRM) platforms (e.g., RiskProfiler)., Deploy **continuous anomaly monitoring** to detect deviations in NHI behavior (e.g., unusual access times, data volumes, or locations). Baseline normal activity and flag anomalies in real time., Segment networks processing sensitive data via AI applications, Sanitize development repositories to remove hardcoded credentials., Implement **strict OAuth token lifecycle management** (rotation, scoped permissions and real-time monitoring)..

Most Recent Source: The most recent source of information about an incident are TechCrunch, The Register, Google Threat Intelligence Group (Mandiant), HaystackID/ComplexDiscovery OÜ, Author: Gal Nakash (CPO and Cofounder, Reco), Bleeping Computer, DataBreaches.net, Cybersecurity Article (Title Not Provided), Incident Analysis Report (Hypothetical), Salesloft Advisory, BleepingComputer, TechRadar, Reco Blog: 'The Hidden Risk of Non-Human Identities in SaaS', Google Threat Intelligence Group (GTIG) Advisory, Salesloft Data Breach Page, RiskProfiler Guest Blog, IBM Cost of a Data Breach Report 2025 and CyberInsider.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://techcrunch.com, https://www.databreaches.net, https://www.bleepingcomputer.com, https://www.techradar.com .

Current Status of Most Recent Investigation: The current status of the most recent investigation is ongoing (Drift app remains off Salesforce AppExchange pending security assurance).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Direct notifications to affected customers, Public advisories with IOCs, Public disclosure via Salesloft’s breach page; likely private notifications to affected customers (e.g., Bugcrowd, Cloudflare)., Customer Notifications Issued, Regulatory Disclosures in Progress, Legal Counsel Engaged for Litigation Preparedness, Customer Notifications Issued, Industry-Wide Alerts Recommended, MSSPs urged to adopt proactive third-party risk strategies, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Urged to treat Salesforce data as compromised if using Drift integrationRecommended immediate remediation steps, Customers advised to rotate credentials, review Salesforce access logs, and monitor for unauthorized activity., Guidance on Password/Token RotationRecommendations for Monitoring Suspicious ActivitySupport for Affected CRM Data, Security BulletinsRemediation GuidanceCompromised Data Notifications, and Organizations advised to audit third-party integrations and token security.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Salesloft Internal GitHub Repository, Salesloft compromise (token theft), Stolen OAuth tokens (Drift app integration with Salesforce), Social Engineering (Vishing) → Malicious Salesforce Integrations, Salesloft GitHub Account and Compromised Salesloft GitHub Account (March–June 2025).

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was March 2024 – June 2024 (3 months), March 2025 – August 2025 (5+ months), March-June 2025 (3-4 Months), Late 2024 (Initial Access) to August 2025 (Mass Exfiltration), .

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insecure OAuth token management in Drift-Salesforce integrationPotential lack of monitoring for anomalous token usage, Inadequate monitoring of GitHub account activities (e.g., guest user additions, repository access).Delayed detection of reconnaissance (March–June 2024).Over-reliance on OAuth tokens without sufficient safeguards (e.g., short-lived tokens, anomaly detection).Lack of segmentation between Salesloft’s GitHub/AWS and customer environments (e.g., Salesforce)., Inadequate protection of GitHub credentials leading to initial compromise.Lack of MFA enforcement for OAuth tokens, allowing bypass of authentication controls.Insufficient monitoring of third-party integration activity (e.g., Drift-Salesforce OAuth flows).Over-permissioned OAuth tokens with excessive data access scopes.Delayed detection due to anti-forensics techniques (log deletion).Gaps in cross-platform visibility for data flows in SaaS ecosystems., Insufficient protection of high-privilege credentials in GitHub repositoriesLack of IP restrictions on OAuth tokensOver-permissive API access for AI integrationsFailure to deactivate former customer (SpyCloud) credentialsDetection gaps for AI-powered data exfiltration patternsInadequate segmentation between AI systems and core business data, Successful vishing attacks due to lack of employee awareness.Storing credentials in GitHub repositories (poor hygiene).Over-permissive OAuth tokens enabling lateral movement.Inadequate monitoring of third-party integration activities., Exploitation of cybercriminal forums for data leaks and extortion.Lack of arrests allows threat actors to continue operations under new infrastructure.Insufficient protection of corporate data shared with third-party vendors (e.g., Salesloft/Salesforce)., Lack of visibility and oversight for non-human identities (OAuth tokens) with excessive privileges.Public exposure of a GitHub API token due to misconfiguration or lack of secret management.Incomplete incident response: human credentials were rotated, but non-human credentials (API tokens) were overlooked, leaving a backdoor open.Overprivileged NHIs: integrations and tokens had broader access than necessary, increasing the blast radius of compromises., Inadequate token security in Salesloft/Salesforce integrationLack of visibility into third-party/shadow IT integrationsManual, point-in-time vendor risk assessmentsFailure to monitor extended supply chain dependencies.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Token revocationApp removal from marketplaceEnhanced customer guidance on credential hygiene, Enhanced logging and alerting for GitHub actions (e.g., user additions, workflow changes).Implementation of token expiration policies and real-time revocation capabilities.Third-party security audits for cloud and integration environments.Customer notification protocols for supply chain incidents., Mandate **MFA for all OAuth token usage** and treat tokens as high-value credentials.Implement **real-time monitoring** for anomalous OAuth/API activity with automated alerts.Enforce **least-privilege access** for third-party integrations, regularly auditing permission scopes.Develop **dedicated supply chain risk management programs** for SaaS ecosystems.Enhance **log retention and anti-tampering controls** to prevent evidence destruction.Establish **cross-vendor incident response playbooks** for coordinated breach handling.Integrate **information governance** with cybersecurity to classify and protect data in shared environments.Conduct **regular red-team exercises** targeting third-party integration attack surfaces., Mandatory IP allow-listing for all integration tokensImplementation of just-in-time access for AI systemsEnhanced credential rotation policies with automated enforcementAI-specific anomaly detection for data access patternsSupply chain security reviews for all AI vendorsIntegration lifecycle management automationZero-trust architecture adoption for AI ecosystemsReduced token permissions to least-privilege for AI integrations, Mandatory MFA for all SaaS and cloud access.Automated credential scanning in code repositories.Reduced OAuth token permissions and scope.Enhanced behavioral analytics for API/OAuth usage.Employee training on social engineering tactics., Strengthen vendor security assessments for platforms handling sensitive data.Improve international coordination for takedowns of cybercriminal infrastructure.Develop strategies to mitigate data leaks even after initial disruption of threat actor operations., Adopt a **Dynamic SaaS Security Platform** to automate discovery, monitoring, and remediation of NHIs.Implement **least privilege enforcement** for all NHIs, auditing and restricting access scopes to the minimum required.Deploy **real-time anomaly detection** for NHI behavior, with automated responses to suspicious activity (e.g., token revocation).Establish **automated credential rotation** for NHIs, ensuring tokens and keys are regularly refreshed and unused credentials are disabled.Conduct **comprehensive NHI inventories** across all SaaS applications, classifying identities by type and risk level.Integrate **NHI security into IAM strategies**, treating machine identities with the same rigor as human accounts.Enforce **compensating controls** for NHIs (e.g., IP restrictions, session monitoring) where MFA is not applicable.Educate security and DevOps teams on the risks of NHIs and the importance of token hygiene (e.g., avoiding hardcoding, public exposure)., Deploy AI-driven TPRM solutions for continuous monitoring.Implement autonomous vendor risk questionnaires with real-time updates.Map and secure all attack paths in the supply chain ecosystem.Enhance token security and third-party access controls.Adopt peer benchmarking to identify vendor compliance gaps..