Identity is still the primary entry point for cyberattacks, according to Palo Alto Networks’ threat intelligence firm Unit 42. In its annual incident response report released Tuesday, Unit 42 found that identity-based techniques accounted for nearly two-thirds of all initial network intrusions last year. 

Social engineering was the leading attack method, accounting for one-third of the 750 incidents Unit 42 responded to in the one-year period ending in September 2025. Attackers also bypassed security controls with compromised credentials, brute-force attacks, overly permissive identity policies and insider threats, researchers said.

The persistent pitfalls of identity extended beyond initial access, with an identity-related element playing a critical role in nearly 90% of all incidents last year. Unit 42’s report highlights the explosive impact of identity abuse, and pins much of the problem on poor security controls and misconfigurations across interconnected tools and systems.

“Across the attack lifecycle, the biggest thing is that once you have an identity, you’ve got everything, you’ve got the key and you’re in,” Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42, told CyberScoop. “From a defense standpoint, enterprises are still not very good at finding the signal in the noise, essentially the detection when an identity-based tactic is used because there isn’t unauthorized access per se from a technical telemetry standpoint, and it becomes a harder detection mechanism.”

Vulnerability exploits, an ever-moving target, were still prolific and accounted for 22% of initial intrusions across attacks, but humans remain the weakest link, Rubin said. 

The rise of machine-based identities and AI agents, which require an identity to take action, is expanding the attack surface for cybercriminals. Identity challenges are manifesting in the software supply chain as well, as API access and SaaS integrations become another weak link and way in for attackers if control keys aren’t properly controlled.

An attack on Salesloft Drift customers last summer highlighted how tightly integrated services can unravel and expose victims that are multiple layers removed from the vendor. More than 700 organizations were impacted directly, but Salesloft Drift’s integrations with dozens of third-party tools opened many additional paths of potential compromise. 

More broadly, attackers are jumping from branch offices into a victims’ headquarters or data centers because too many accounts remain over permissioned and cloud-based accounts are established with too much privilege or a lack of segmentation, Rubin said. 

These gaps allow threat groups to turn break-ins into significant attacks. 

“We just see this time and again that there could have been better identity-based practices that would have constrained the blast radius, even if it didn’t stop the initial access,” Rubin said. 

“It’s a problem of signal and noise,” he added. “Think about a global enterprise and all of this authenticated, legitimate activity happening every day. How do you see and identify the one instance where a user is already authenticated but doing something that they shouldn’t do?”

Large and older organizations are at a greater disadvantage, Rubin said. Over time, their technology stacks have evolved to include legacy systems acquired through various business deals. This leaves IT teams managing a patchwork of disparate systems that are poorly integrated, creating significant security vulnerabilities. 

“We forgot as defenders to consider the entire attack chain, because too often we see the defense happens in silos,” Rubin said, adding that attacks that pivot from endpoints to cloud-based services are commonly missed. 

Each of those jumps gives defenders a chance to  thwart attacks. Nearly 90% of the attacks Unit 42 investigated last year involved malicious activity across multiple attack surfaces.

Financially motivated attacks accounted for most of the 750 incidents Unit 42 responded to last year. Unit 42 did not say how many of those attacks resulted in payments, but it said median payments increased 87% year-over-year to $500,000 last year. 

Attackers continue to pick up speed as well, exfiltrating data from victim networks under a median duration of two days. Attackers stole data in under one hour in 22% of the attacks Unit 42 responded to last year. 

Unit 42’s annual look-back spotlights critical areas of concern and attack trends that continue to take root, yet it’s not comprehensive. The report’s visibility is limited to incidents that went from bad to worse and prompted victims to seek help from Unit 42. 

“The hardest thing about incident response in cybersecurity,” Rubin said, “is there is no one global spot for how much is going on.”

The post Unit 42: Nearly two-thirds of breaches now start with identity abuse appeared first on CyberScoop.

An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.

“While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”

Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.

Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise. 

Salesforce identified three impacted customers in the immediate aftermath of the attack, and has since found more confirmed victims, Gainsight said in an update on its community page. Neither company has provided a specific number of known victims.

“There is a distinction between the number of customers who Salesforce identified as having compromised tokens and the handful of customers we presently know had their data affected,” a company spokesperson told CyberScoop Tuesday.

Google Threat Intelligence Group, which is affiliated with Mandiant under Google Cloud’s security apparatus, said it was aware of more than 200 Salesforce instances potentially affected by the Gainsight breach last week. Google hasn’t provided an updated figure since then.

Inconsistencies are common in supply-chain attacks that flow downstream.

Meanwhile, Mandiant is continuing to sift through logs and analyze token behavior and connector activity to provide Gainsight with a more complete view of what occurred and how far attackers were able to use Gainsight customers’ access tokens to breach additional systems.

Gainsight previously said Hubspot, Zendesk and revenue intelligence platform Gong.io also temporarily revoked Gainsight customers’ access tokens “out of an abundance of caution.” The company hasn’t reported any confirmed impact on other systems and Salesforce maintains that the issue did not involve a vulnerability in the Salesforce platform.

The breach and its root cause is strikingly similar to an expansive downstream attack spree that impacted more than 700 customers who integrated Salesloft Drift into Salesforce two months ago. 

While Gainsight and Salesforce are both communicating directly with customers, publicly available threat hunting guidance and information about the attacks exist in multiple places.

Salesforce has shared the most comprehensive IOCs, including dates and observed activities for each malicious IP address. The earliest malicious activity linked to the campaign occurred Oct. 23, according to Salesforce.

The company advised customers to review all available logs for potential compromise and noted that the revocation of Gainsight OAuth tokens does not delete a customers’ logs or hinder their ability to investigate the incident.

Gainsight, however, said its logs are of less use. “Based on the nature of the logs we retain, many of our clients have not found them to be material in assessing any risk to their organization,” Brent Krempges, chief customer officer at Gainsight, said on its community page. 

“We strongly recommend that you focus your investigation on the Salesforce logs that show authentication attempts and API calls originating from the Gainsight Connected App,” he added. “These Salesforce-side logs are the authoritative source of information for identifying any anomalous access patterns.”

Gainsight also recommended that customers configure IP restrictions for API calls to ensure only legitimate requests are allowed. This security control is manual and requires cooperation from every vendor in the supply chain. Okta said IP restrictions kept its Drift integrations secure and successfully blocked an attempted attack on its Salesforce environment during the widespread incidents in August.

Ganapathi, who was named CEO in August, acknowledged that Gainsight is critical to its customers’ daily operations and said the company is personally responsible for ensuring access to its products. The company is helping customers manage their Gainsight Customer Success (CS) instances while its Salesforce connected app is offline, he said. 

“The only way we beat these threats is by working together and sharing information and strategies,” Ganapathi said. “That is why I am committing to sharing what we learn from this experience to help everyone in the SaaS community strengthen their defenses and, we hope, avoid going through something similar themselves.”

The post Gainsight CEO downplays impact of attack that spread to Salesforce environments appeared first on CyberScoop.

The recent Salesloft Drift breach offered a sobering reminder of how easily trust can be weaponized in today’s SaaS and AI-integrated environments. In this incident, hackers exploited the Drift chatbot, stole OAuth tokens, and used them to obtain data from CRM systems before the tokens could be revoked. In the wake of the incident, many deemed the weak spot to be the tokens, but they are missing the bigger issue. Namely, identity and permission sprawl, and a misuse of excessive trust.

Inside the Salesloft Drift Attack

With Drift, attackers used OAuth tokens to make legitimate API calls against CRM environments, and since the tokens were valid, the fraudulent activity didn’t raise any flags. In the eyes of all, it was simply business as usual. Organizations later confirmed that data was stolen before tokens could be revoked. This includes sensitive business records, contact information, support data, and, in some cases, embedded credentials across more than 700 organizations using the compromised integration with Salesforce. 

And while those impacted have traced the chain of compromise, the next step is to address the larger underlying problem of the chatbots and the excessive scopes they are given. 

Consider the following:

• Exceedingly Broad Scopes: The chatbots don’t just have access to what they need; they have access to everything, including users’ credentials.
• Ongoing Authorization: Chatbot credentials often remain valid indefinitely in the name of speed, in essence creating a permanent open door.
• Standing Privileges: Permanent credentials mean chatbots stay connected even when not in use, making them targets ready to be exploited at any time.

Add it all up, and you can see how a single compromised credential can create significant exposure. And the risk is only growing, thanks to SaaS and AI-powered integrations that are creating an unimaginable number of vulnerabilities. Still, businesses treat integrations and agents as background utilities that have no ownership, governance, or lifecycle management. Ironically, it’s the absence of these controls that gives them greater operating privileges and reach than any human would ever be granted, while making them ideal targets for attackers.

The identity and access wake-up call

Whether or not an organization was impacted by Drift, it’s time to reassess all SaaS and AI integration footprints. This includes verifying every connected app, API bridge, and automation workflow. 

Start with addressing hygiene, including the following:

• Remove and rotate any old tokens, as well as those with excessive permissions, especially those connected to third-party integrations. Where possible, static tokens should be eliminated entirely in favor of short-lived tokens with a narrow window of operation.
• Replace blanket-scoped permissions with narrowly defined access that is tied to specific roles and actions. 
• Audit logs and event data for unusual exports, API surges, or unexpected user agents. These actions can help surface silent compromises before they grow.

This tactical cleanup is not a one-time exercise. Everything must be re-evaluated on an ongoing basis. Even then, your work is not done. 

From static access to runtime authorization

The next generation of security requires using adaptive access models such as Zero Standing Privileges (ZSP), where “always-on” automation is replaced by dynamic, ephemeral identities and permissions that are enforceable at runtime.  With ZSP, every integration or AI agent receives temporary, just-in-time access that is created at runtime, bound by clear time-to-live parameters and contextual conditions. When the task ends, the permission disappears.

Because these are enabled through runtime authorization, businesses can easily verify not only who or what is making a request, but also why, for how long, and under what conditions. When paired with continuous monitoring, organizations can quickly spot anomalous activities and revoke privileges instantly when behavior deviates from policy.

Treat all integrations as identities

Another key to success is treating all integrations, whether they are human, machine, agentic AI, or AI-driven assistants, equally. Each of these should have a distinct identity, a defined purpose, ownership, and lifecycle stages. These controls provide teams with critical visibility across all identities and, when irregular activities are spotted, the answers to critical questions—who had access, what they did, and for how long?

Pay special attention to AI-driven tools, ensuring that agents operating on behalf of humans only act within the parameters set by their sponsor. Helpful tools here include allowlisting and runtime guardrails that can keep agents in their assigned lane and, in doing so, prevent them from veering off and initiating unauthorized actions. This includes those that have been compromised or manipulated through prompt injection.

The bigger picture: trust as a dynamic perimeter

The Drift incident wasn’t an anomaly—it was a preview. As AI-driven automations and SaaS integrations multiply, every organization will face the same question: can you truly see, control, and verify who or what has access to your data at any given moment?

Security can no longer depend on static controls or the assumption that trusted systems will stay trustworthy. The future belongs to those who treat identity as the new perimeter and access as a living, breathing condition—not a one-time approval. When every token, credential, and agent is governed by context, time, and intent, trust becomes measurable—and defensible.

Because in a world where automation never sleeps, trust can’t either.

Art Poghosyan is the CEO of Britive, a cloud privileged access management software company. 

The post When trust turns toxic: Lessons from the Salesloft Drift incident appeared first on CyberScoop.

The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.

Salesloft disclosed on August 20 that, “Today, we detected a security issue in the Drift application,” referring to the technology that powers an AI chatbot used by so many corporate websites. The alert urged customers to re-authenticate the connection between the Drift and Salesforce apps to invalidate their existing authentication tokens, but it said nothing then to indicate those tokens had already been stolen.

On August 26, the Google Threat Intelligence Group (GTIG) warned that unidentified hackers tracked as UNC6395 used the access tokens stolen from Salesloft to siphon large amounts of data from numerous corporate Salesforce instances. Google said the data theft began as early as Aug. 8, 2025 and lasted through at least Aug. 18, 2025, and that the incident did not involve any vulnerability in the Salesforce platform.

Google said the attackers have been sifting through the massive data haul for credential materials such as AWS keys, VPN credentials, and credentials to the cloud storage provider Snowflake.

“If successful, the right credentials could allow them to further compromise victim and client environments, as well as pivot to the victim’s clients or partner environments,” the GTIG report stated.

The GTIG updated its advisory on August 28 to acknowledge the attackers used the stolen tokens to access email from “a very small number of Google Workspace accounts” that were specially configured to integrate with Salesloft. More importantly, it warned organizations to immediately invalidate all tokens stored in or connected to their Salesloft integrations — regardless of the third-party service in question.

“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Salesloft Drift to integrate with third-party platforms (including but not limited to Salesforce) should consider their data compromised and are urged to take immediate remediation steps,” Google advised.

On August 28, Salesforce blocked Drift from integrating with its platform, and with its productivity platforms Slack and Pardot.

The Salesloft incident comes on the heels of a broad social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. That campaign led to data breaches and extortion attacks affecting a number of companies including Adidas, Allianz Life and Qantas.

On August 5, Google disclosed that one of its corporate Salesforce instances was compromised by the attackers, which the GTIG has dubbed UNC6040 (“UNC” stands for “uncategorized threat group”). Google said the extortionists consistently claimed to be the threat group ShinyHunters, and that the group appeared to be preparing to escalate its extortion attacks by launching a data leak site.

ShinyHunters is an amorphous threat group known for using social engineering to break into cloud platforms and third-party IT providers, and for posting dozens of stolen databases to cybercrime communities like the now-defunct Breachforums.

The ShinyHunters brand dates back to 2020, and the group has been credited with or taken responsibility for dozens of data leaks that exposed hundreds of millions of breached records. The group’s member roster is thought to be somewhat fluid, drawing mainly from active denizens of the Com, a mostly English-language cybercrime community scattered across an ocean of Telegram and Discord servers.

Recorded Future’s Alan Liska told Bleeping Computer that the overlap in the “tools, techniques and procedures” used by ShinyHunters and the Scattered Spider extortion group likely indicate some crossover between the two groups.

To muddy the waters even further, on August 28 a Telegram channel that now has nearly 40,000 subscribers was launched under the intentionally confusing banner “Scattered LAPSUS$ Hunters 4.0,” wherein participants have repeatedly claimed responsibility for the Salesloft hack without actually sharing any details to prove their claims.

The Telegram group has been trying to attract media attention by threatening security researchers at Google and other firms. It also is using the channel’s sudden popularity to promote a new cybercrime forum called “Breachstars,” which they claim will soon host data stolen from victim companies who refuse to negotiate a ransom payment.

But Austin Larsen, a principal threat analyst at Google’s threat intelligence group, said there is no compelling evidence to attribute the Salesloft activity to ShinyHunters or to other known groups at this time.

“Their understanding of the incident seems to come from public reporting alone,” Larsen told KrebsOnSecurity, referring to the most active participants in the Scattered LAPSUS$ Hunters 4.0 Telegram channel.

Joshua Wright, a senior technical director at Counter Hack, is credited with coining the term “authorization sprawl” to describe one key reason that social engineering attacks from groups like Scattered Spider and ShinyHunters so often succeed: They abuse legitimate user access tokens to move seamlessly between on-premises and cloud systems.

Wright said this type of attack chain often goes undetected because the attacker sticks to the resources and access already allocated to the user.

“Instead of the conventional chain of initial access, privilege escalation and endpoint bypass, these threat actors are using centralized identity platforms that offer single sign-on (SSO) and integrated authentication and authorization schemes,” Wright wrote in a June 2025 column. “Rather than creating custom malware, attackers use the resources already available to them as authorized users.”

It remains unclear exactly how the attackers gained access to all Salesloft Drift authentication tokens. Salesloft announced on August 27 that it hired Mandiant, Google Cloud’s incident response division, to investigate the root cause(s).

“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Mandiant Consulting CTO Charles Carmakal told Cyberscoop. “There will be a lot more tomorrow, and the next day, and the next day.”