The Looming Threat of “Authorization Sprawl”: How the Salesloft Breach Signals a New Era of Cyberattacks

Over 5,000 companies trusted Salesloft with their customer interaction data. Now, many are scrambling to invalidate stolen authentication tokens after a massive breach exposed not just Salesforce access, but credentials for hundreds of integrated services – from Slack and Google Workspace to Amazon S3 and OpenAI. This isn’t a typical data breach; it’s a stark warning about the escalating risks of “authorization sprawl” and a glimpse into how future cyberattacks will bypass traditional defenses.

Beyond Salesforce: The Ripple Effect of Stolen Tokens

The initial alert from Salesloft on August 20th focused on a security issue within the Drift application, its AI chatbot. However, the true scope of the compromise, revealed by Google’s Threat Intelligence Group (GTIG), is far more alarming. Hackers, tracked as UNC6395, didn’t just gain access to Salesforce data; they pilfered valid authentication tokens allowing access to a vast ecosystem of connected services. This means attackers could potentially pivot from a compromised Salesloft account to access sensitive data stored in cloud environments, email accounts, and critical business applications.

Google’s investigation revealed data exfiltration began as early as August 8, 2025, and continued for over two weeks. The attackers are actively searching for valuable credentials like AWS keys, VPN access, and Snowflake logins – essentially looking for the keys to the kingdom within the stolen data. Salesforce has since blocked Drift integrations, but the damage is already done, and the potential for further compromise remains high.

The Rise of “Authorization Sprawl” and the Changing Attack Surface

Joshua Wright, a senior technical director at Counter Hack, coined the term “authorization sprawl” to describe this very scenario. It highlights how modern IT environments, reliant on single sign-on (SSO) and integrated authentication, create a complex web of permissions. Attackers are no longer focused on breaking *into* systems; they’re exploiting existing, legitimate access to move laterally and escalate privileges. As Wright explains, attackers are leveraging the resources already available to authorized users, making their activity harder to detect.

This shift represents a fundamental change in the attack surface. Traditional security measures – firewalls, intrusion detection systems – are less effective when attackers are operating *within* the boundaries of authorized access. The Salesloft breach isn’t about a vulnerability in Salesforce itself; it’s about the vulnerabilities inherent in a highly interconnected, permission-rich environment.

Who is Behind the Attacks? A Murky Landscape of Threat Actors

Attribution remains a challenge. While the GTIG has identified the attackers as UNC6395, links to groups like ShinyHunters and Scattered Spider are emerging. ShinyHunters, known for data breaches and extortion, has a history dating back to 2020 and has claimed responsibility for exposing hundreds of millions of records. Scattered Spider, similarly, employs social engineering tactics to gain access to cloud platforms. The recent emergence of a Telegram channel, “Scattered LAPSUS$ Hunters 4.0,” claiming responsibility for the Salesloft hack, further complicates the picture, though Google’s Austin Larsen cautions against taking these claims at face value.

The overlap in tactics, techniques, and procedures (TTPs) between these groups suggests potential collaboration or shared resources. The proliferation of threat actors operating in online cybercrime communities, like those found on Telegram and Discord, makes attribution increasingly difficult and underscores the need for constant vigilance.

The Voice Phishing Connection: A Precursor to the Salesloft Breach

The Salesloft incident isn’t isolated. It follows a broader trend of social engineering attacks, particularly voice phishing (vishing), used to trick employees into connecting malicious apps to Salesforce portals. Companies like Adidas, Allianz Life, and Qantas have already been victims of these attacks, highlighting the effectiveness of this approach. Vishing campaigns exploit human trust and often serve as the initial access point for more sophisticated attacks like the one targeting Salesloft.

What Does This Mean for the Future of Cybersecurity?

The Salesloft breach is a wake-up call. Organizations need to move beyond perimeter-based security and embrace a zero-trust approach, verifying every user and device before granting access to resources. Specifically, companies should:

• Immediately invalidate all Salesloft integrations: Regardless of the third-party service, assume compromise and revoke access.
• Implement robust access controls: Limit permissions to the minimum necessary for each user and application.
• Strengthen multi-factor authentication (MFA): MFA is crucial, but it’s not foolproof. Organizations should explore more advanced MFA methods.
• Invest in continuous monitoring and threat detection: Look for anomalous activity and lateral movement within the network.
• Educate employees about social engineering tactics: Vishing and other social engineering attacks remain a significant threat.

The future of cybersecurity will be defined by the ability to manage and control access in increasingly complex, interconnected environments. The era of simply building walls around the network is over. Organizations must proactively address the risks of authorization sprawl and adopt a security posture that assumes compromise is inevitable.

What steps is your organization taking to mitigate the risks of authorization sprawl? Share your insights in the comments below!