Your CRM is supposed to be the crown jewel of customer trust — but this summer showed just how vulnerable these platforms are when attackers set their sights on them. Salesforce and Drift, two of the most widely used tools in business, were both caught up in breaches that exposed how much risk hides in third-party integrations.
In June, the group ShinyHunters tricked employees at Google, Cisco, Pandora, and Workday into giving up access to Salesforce. They didn’t need to break in — they simply used social engineering (vishing and smishing) to get what they wanted. Once inside, they pulled data straight out of Salesforce using its own Data Loader. Even if the stolen information was “just” business contacts, that’s still the first domino in a bigger chain.
Things escalated in August when UNC6395 breached the Salesloft-Drift integration with Salesforce. By stealing OAuth and refresh tokens, they siphoned off licensing and support case data from companies like Zscaler and Palo Alto Networks. It got bad enough that Salesforce suspended all Salesloft integrations until the dust settled. Around the same time, TransUnion revealed a breach tied to a third-party app affecting more than four million people.
“Attackers don’t always need to hack in. Sometimes, they just log in — through your vendors.”
The takeaway? Integrations are the hidden weak spots in your security chain. Every API connection and OAuth token is another potential key to your kingdom.
If you’re a business leader, you can’t afford to assume that Salesforce, Drift, or any other vendor has it all locked down. Ask your teams: When’s the last time we audited our integrations? Are OAuth tokens being rotated like passwords? Do we enforce least-privilege access for APIs?
The truth is simple: attackers don’t always need to hack in. Sometimes, they just log in — through your vendors.
Don’t wait for a breach to reveal your weakest link. Calder & Lane helps mid-market and enterprise organizations audit integrations, secure APIs, and reduce CRM supply-chain risks before attackers exploit them.
