A supply chain attack targeting over 700 customers of the AI chatbot platform Drift has led to distinct responses from Okta and Zscaler, two leading cybersecurity providers. As organizations increasingly depend on software integrations, incidents like this highlight the tension between convenience and risk. Recent reports show that customer data related to Salesforce workflows became the focus of a coordinated campaign, exposing the security preparedness and response capabilities of companies heavily reliant on third-party vendors.
Earlier reports noted that large-scale cybersecurity incidents involving OAuth token compromise are infrequent, but growing reliance on integrated SaaS applications has repeatedly introduced similar vulnerabilities in recent years. Previous incidents often focused on individual company vulnerabilities, while this case reveals the systemic risk inherent in interconnected platforms and APIs, elevating concerns about the widespread impact and necessity for improved identity and access management across the industry.
How Did Okta and Zscaler Discover the Threat?
Both Okta and Zscaler became aware of the threat through warnings from Google’s security team regarding drift-related anomalous activities. Okta’s security framework quickly identified and blocked unauthorized access attempts, leveraging pre-set IP address limitations on API activity. In contrast, Zscaler detected the breach only after Salesforce notified them, finding that their OAuth token for Drift, although unused since July, had already been exploited by the time they responded.
What Damage Occurred and How Did Companies Respond?
While Okta’s defensive measures prevented data compromise, Zscaler suffered exposure of customer and internal information, including business contact details and product licensing information. Zscaler immediately revoked the compromised token, but the incident revealed how even retired or soon-to-be deprecated tokens can remain a liability. The disparate outcomes demonstrate the significance of proactive monitoring and timely token rotation in mitigating security risks.
Why Remain Unclear About the Source of the Attack?
Salesloft’s investigation into the breach has not yet provided clarity on how unauthorized access to GitHub and Drift’s AWS environment was achieved. Both Okta and Zscaler have stated they lack information on the root mechanisms behind the token theft.
“I don’t actually know how they got the tokens out. I just know they did,”
said Sam Curry, Zscaler’s Chief Information Security Officer. David Bradbury, Okta’s Chief Security Officer, commented:
“The internet is connected by some very brittle, small pieces of information—these tokens that we constantly talk about.”
The analysis of these breaches underlines that current approaches to storing and protecting OAuth tokens may not adequately defend against mass collection or reuse by attackers. Both companies emphasized industry-wide responsibility—calling for vendors to prioritize security in their development processes, and for customers to demand stronger guarantees. Security leaders also expressed frustration over a lack of advanced countermeasures like tighter API controls and the implementation of Demonstrating Proof of Possession (DPoP) to link tokens to specific clients.
A deeper review of this breach and its aftermath illustrates recurring challenges for organizations extensively connected through APIs and cloud platforms. The persistent threat of supply chain attacks makes regular token rotation, IP-based API controls, and ongoing engagement with vendor security practices essential. Companies should audit their integrations, limit access based on necessity, and pressure SaaS providers to include advanced security features. Collaboration between affected entities, rather than assigning blame, is critical to raising the industry’s defensive posture and ensuring customer trust in a landscape defined by constant connectivity and evolving risks.
- Drift’s supply chain breach affected Okta, Zscaler, and hundreds more firms.
- Okta evaded damage through IP restrictions; Zscaler faced customer data exposure.
- Experts urge better API controls and token security after the incident.
