The Salesloft Breach Put 12 Security Vendors in the Victim List. Here Are the Questions That Deserve an Answer.

In March through June 2025, ShinyHunters compromised Salesloft's GitHub account and used TruffleHog — a public, open-source secrets-scanning tool anyone can download in thirty seconds — to extract OAuth tokens for the Drift and Drift Email integrations from Salesloft's source code.

Those tokens granted access to the Salesforce CRM instances of 760 organizations. Over the following months, ShinyHunters used them to exfiltrate 1.5 billion records: 250 million from Account tables, 579 million from Contact, 171 million from Opportunity, 60 million from User, 459 million from Case. Plus whatever additional credentials, AWS access keys, passwords, and Snowflake tokens were stored inside those Salesforce environments.

Inside Telus Digital's Salesforce data, ShinyHunters found Google Cloud Platform credentials. They used those to pivot into Telus Digital's internal environment, where they dwelled silently from January through March 2026 and exfiltrated approximately one petabyte of data before detection. The $65 million ransom demand was rejected. The data was subsequently published.

That is the chain. It is worth holding in your head in full before reading the rest of this.

The Confirmed Victim List

Twelve organizations with security products or services as their primary business confirmed unauthorized access to their data in Salesforce environments following the Salesloft/Drift compromise. Named and confirmed by their own disclosures:

Cloudflare. Workiva. Zscaler. Tenable. CyberArk. Elastic. BeyondTrust. Proofpoint. JFrog. Rubrik. Cato Networks. Palo Alto Networks.

This is not a list of hospitals, retailers, or municipalities that reasonably lack the security expertise to prevent a sophisticated supply chain attack. This is a list of companies whose revenue derives from selling security products and services to other organizations. Several of them sell the specific capabilities that would have detected or prevented the attack that compromised their own data.

BeyondTrust sells privileged access management and secrets vaulting. CyberArk is perhaps the dominant vendor in enterprise secrets management. Proofpoint sells email security and insider threat detection. Zscaler sells zero-trust network access. Palo Alto Networks sells a cloud security platform that includes secrets scanning and CI/CD pipeline security as explicit product capabilities.

These are not tangential observations. They are the questions.

The Questions That Deserve an Answer

One. TruffleHog is open source, freely available, and widely known in the security community. It scans code repositories for hardcoded secrets — credentials, tokens, API keys. The Salesloft Drift OAuth tokens that enabled this entire cascade were discovered using it. Did any of the twelve security vendors on the victim list run secrets scanning against the source code of SaaS vendors with OAuth access to their Salesforce environments? If yes, why didn't it catch this? If no, why not?

Two. The Salesloft GitHub compromise occurred between March and June 2025. Telus Digital confirmed their breach in March 2026. That is nine to twelve months of dwell time across a chain that touched 760 organizations and 1.5 billion records. The security vendors on the victim list collectively employ thousands of threat detection engineers. What were the detection capabilities those engineers built failing to surface?

Three. OAuth tokens issued to SaaS integrations represent persistent, authenticated access to enterprise data that does not require re-authentication once issued. The Vercel breach in April 2026 used the same mechanism. The Telus Digital breach used the same mechanism. Session token theft through compromised third-party tools is now the defining characteristic of the major SaaS breaches of 2025 and 2026. Are the security vendors on this victim list shipping product guidance to their customers about OAuth token auditing and revocation that they were not applying to their own environments?

Four. The Salesloft breach is described in most coverage as a supply chain attack against the victims, because the initial compromise was at Salesloft rather than at the victim organizations directly. That framing is technically accurate. It is also the framing that allows the victims to describe themselves as having been attacked rather than having failed to defend. The harder question is: what is the appropriate level of security hygiene for an organization's SaaS vendor ecosystem? And does the answer change when you are a security vendor selling hygiene to others?

Five. We ask these questions of ourselves. We run secrets scanning. We audit OAuth grants. We track supply chain IOCs. We also acknowledge, capped at 95 percent certainty, that five percent of our own posture is wrong in ways we have not yet discovered. That is not a hedge. That is the honest epistemology of security operations. The question for any vendor is not whether they are perfect. It is whether the gap between what they practice and what they sell is visible, and whether they are honest about it.

What This Is Not

This is not an accusation that any of the twelve vendors failed their customers, behaved dishonestly, or deserve to be penalized for being compromised. Supply chain attacks are hard. The Salesloft breach was sophisticated. Being a victim of a supply chain compromise through a trusted SaaS integration does not make an organization negligent.

This is also not Schadenfreude. When security vendors get compromised, the downstream effect is not limited to their reputation. Their customer data, their product roadmaps, their sales pipelines, their employee records are in the 1.5 billion rows. Real people and real organizations are affected by what happened to the Salesforce data inside Cloudflare and Proofpoint and CyberArk. That matters more than the irony.

What this is: a structural observation about the gap between marketed capability and practiced posture, posed as questions rather than verdicts, because the honest answer to most of these questions is not available publicly and probably not simple even internally.

The Pattern That Connects Everything

The Salesloft breach. The Vercel breach. The Miasma/Red Hat npm campaign. The Nx/GitHub employee device compromise. The Telus Digital petabyte. Every significant breach of the past six months follows the same structural template. The attacker does not go through the wall. They find a trust relationship — a SaaS integration, an OAuth grant, a GitHub Actions workflow, a third-party productivity tool — and they walk through the door that someone else already opened.

The hard perimeter holds. The soft surface bleeds.

The defense is not a better firewall. It is a complete map of the trust graph that surrounds the perimeter, an understanding of what each trust relationship grants, and a practice of continuously auditing whether the things you trust should still be trusted. That is what security operations actually means in 2026. It is unglamorous, it does not sell well in a deck, and it is harder to automate than a next-generation detection rule.

The twelve vendors on the victim list know this. They build products that address parts of it. The question worth sitting with is whether knowing it, and selling solutions for it, is the same as doing it.

We are not sure it is. We are not sure we do it perfectly either. But we think the question is worth asking out loud.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com