In August 2025, a series of data thefts came to light in which attackers accessed Salesforce customer data. Google and Cloudflare were among those affected.
The attackers used indirect routes via the extended partner and integration ecosystem, i.e., via third-party applications and human vulnerabilities. Using stolen OAuth tokens from the Salesloft Drift chatbot application, which was connected to Salesforce, the attackers were able to pose as a legitimate application and gain access to numerous customer instances.
Within minutes, exports and manually initiated queries were performed via the Salesforce Bulk API, which contained customer data, support tickets, and in some cases confidential content from text fields. The attackers then searched the captured data records specifically for access data, such as AWS keys or Snowflake tokens. According to Cloudflare, over 104 of its own API tokens were found in plain text in compromised support cases and were immediately reset.
The incident highlights how vulnerable complex SaaS environments can be to attacks. OAuth integrations often come with overly broad permissions and permanently valid tokens that allow undetected access over long periods of time. Combined with overprivileged app rights, a lack of monitoring, and sensitive information such as API keys or passwords in support cases, this creates a significant security risk.
Companies should therefore implement consistent identity and access management, regularly check OAuth integrations, limit permissions to the bare minimum, and never store confidential data in support or ticket systems.