A global enterprise integrates Salesforce CRM with third-party platforms (e.g., Drift, Salesloft). Attackers compromise the integration and steal OAuth/refresh tokens, replaying them to exfiltrate sensitive CRM data (contacts, licensing info, support cases). While core systems remain intact, the enterprise faces regulatory risk, reputational harm, and costly remediation.
In 2025, this exact scenario played out across the industry:
- Palo Alto Networks & Zscaler: Exposed CRM data including business contacts, licensing, and support cases.
- Qualys: Breach exposed support case records and business contact details.
- Tenable: Breach exposed case subject lines, descriptions, and customer contacts.
- Cloudflare, Proofpoint, CyberArk and others: Also impacted in the same campaign.
Over 700+ organizations were affected globally due to the theft of long-lived OAuth and refresh tokens in the Salesloft Drift —> Salesforce supply chain compromise, but with MTE, SaaS supply chain breaches become cryptographic dead ends. Learn more in our Use Case below:
