DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

OAuth’s Blind Spot: Lessons from the Salesloft Drift Compromise

Patrick Duggan
Sep 2, 2025
2 min read

Updated: Sep 4, 2025

Blindspots everywhere!

In August 2025, a threat actor quietly exploited OAuth credentials tied to the Drift-Salesloft integration, siphoning sensitive Salesforce data from multiple organizations. The attack was swift, surgical, and disturbingly familiar.

We’ve seen this playbook before.

Back in our UNC6395 analysis, we dissected how OAuth misuse and asynchronous Python tooling enabled high-throughput data exfiltration from cloud platforms. The Drift-Salesforce incident confirms that this isn’t an isolated tactic—it’s a repeatable pattern. And if your SaaS ecosystem relies on third-party integrations, it’s a pattern you need to defend against.

Anatomy of the Attack

Initial Access: OAuth tokens tied to Drift were compromised, granting access to Salesforce instances without triggering MFA.
Data Exfiltration: Using aiohttp and Salesforce Bulk API, attackers extracted Account, Contact, Case, and Opportunity records at scale.
Anti-Forensics: SOQL queries were deleted post-exfiltration, obscuring audit trails and complicating incident response.
Credential Harvesting: Exfiltrated data was scanned for embedded secrets—likely to fuel lateral movement across cloud apps.

This wasn’t just a breach. It was a blueprint.

What Defenders Should Do—Now

If you use Drift, Salesforce, or any OAuth-connected SaaS platform, treat this as a proactive exercise.

Modular Response Checklist

1. Audit OAuth Integrations

Review Drift Connected App activity in Salesforce.
Check for unusual login patterns and API usage.

2. Hunt for Indicators

Look for the user agent Python/3.11 aiohttp/3.12.15 in Event Monitoring logs.
Flag logins from Tor exit nodes (with caution—high false positive rate).

3. Scan for Secrets

Use Trufflehog or GitLeaks to scan exfiltrated data and code repos.
Rotate any exposed credentials immediately.

4. Harden Access Controls

Enforce least privilege and conditional access.
Treat OAuth tokens as privileged credentials—monitor and rotate them like passwords.

5. Train for Social Engineering

Assume attackers will weaponize exfiltrated contact data.
Reinforce verification protocols across teams.

Strategic Takeaway

OAuth is powerful—but porous. The Drift compromise shows how easily trust can be weaponized when integrations aren’t monitored with the same rigor as core infrastructure. As defenders, we need to treat third-party apps as first-class security citizens.

This isn’t just about Salesforce or Drift. It’s about the architectural blind spots that emerge when convenience outpaces control.

OAuth’s Blind Spot: Lessons from the Salesloft Drift Compromise

Anatomy of the Attack

What Defenders Should Do—Now

Modular Response Checklist

Strategic Takeaway

Recent Posts

Comments