1. Articles
  2. Salesforce Token Theft Is a Wake-Up Call for Fintech Platforms

Salesforce Token Theft Is a Wake-Up Call for Fintech Platforms

The Salesforce Drift app was recently compromised. Learn what happened and how you can stay safe.

 

What Happened?

  • Hackers stole OAuth tokens from the Salesloft Drift app and used them to extract Salesforce customer data between August 8 and 18, 2025. 

  • Google says the group, UNC6395, searched the stolen records for secrets like AWS and Snowflake keys. 

  • Salesforce pulled Drift from AppExchange and revoked tokens, while Google confirmed other Drift integrations were also hit. 

  • The core Salesforce platform was not breached, the weakness was the third-party connection.

 

Why This Matters to Fintech Platforms

Fintechs rarely operate in isolation. You plug CRMs, chat and revenue tools, analytics, KYC, payments gateways, data enrichment, and partner apps into customer journeys and internal operations. 

That is good for speed, it is also a growing attack surface. When a connected app is compromised, attackers can pivot through trusted tokens and pull sensitive data or secrets, then reuse those secrets to escalate into cloud, data warehouse, or payment infrastructure. The Salesforce incident shows exactly that pattern, data exfiltration first, secret harvesting second.

 

The Pattern We All Must Plan For

  1. Compromise lands at a partner or marketplace app, not inside your core.

  2. Stolen tokens or overly broad scopes allow bulk export from a system like Salesforce.

  3. Hackers extract secrets from the exported data, then try cloud keys, Snowflake tokens, and passwords to move further and steal more of your data.

 

IPQS Prevents Token Theft in a Multi Layered Approach

IPQS reduces the likelihood of compromise, and adds challenges for attackers who rely on risky networks, automated tools, and throwaway devices.

  1. Gate third party app access by IP reputation and network risk. If a token or integration user begins pulling records from Tor or known abusive networks, block or step up. IPQS IP reputation and proxy detection can serve as a policy input before API reads or exports proceed. 

  2. Bind integrations to trusted devices and stable browser fingerprints. If the same integration user suddenly presents a new device fingerprint or emulator profile, quarantine the job, alert, and require reapproval. This breaks the “token plus any host” assumption attackers exploit.

  3. Score automation. The actor in this campaign used scripted queries at scale. IPQS bot detection and abuse signals can flag high velocity API calls, suspicious user agents, and scripted behavior before bulk export completes. Pair with rate limits and just in time approvals. 

  4. Filter webhooks and data integrations. Many fintechs let partners push data into CRMs or pull from them through webhooks. Add IPQS checks on inbound and outbound endpoints, for example block requests from proxied exit nodes and high risk ASNs, or require step up before delivering sensitive payloads.

 

A Short API Security Checklist You Can Ship Quickly

  • Inventory every Connected App, list scopes, define who owns it.

  • Set IP restrictions and login IP ranges for integration users.

  • Remove “API Enabled” from broad profiles, grant by permission set only.

  • Add IPQS checks at API gateways that front CRM exports and webhooks, block proxies like Tor and other high risk networks by default, alert on sudden device changes.

  • Enable rate limits and approval workflows for mass queries and exports.

 

The Salesforce incident is not really about Salesforce, it is about trust in connected software. Fintechs thrive on ecosystems, which means the right move is not fewer integrations, it is safer integrations. 

Combine identity controls and strict Connected App governance with IPQS multi layered network, device, and automation signals. That combination reduces the chance a stolen token ever works, and it gives you time to stop a bad export before it becomes a breach.

 

 

About the Author

Amber Kahr is a seasoned operations leader with deep expertise in Salesforce architecture and data management. As COO at IPQS, she has spent over a decade helping SaaS companies optimize their Salesforce environments for security, scalability, and revenue growth.

 

Share this article

Related Articles

View All News & Articles
16 Feb 2024
The Evolution of Fintech Fraud in 2024: Key Insights
The financial technology sector has revolutionized how we handle money, but it also opened multiple ...
24 May 2019
Integrating Fraud Prevention with Zapier is Easy
IPQualityScore can now integrate with over 2,000 apps through Zapier – bringing fraud preventi...
12 Sep 2025
Major NPM Supply Chain Attack Targets Popular Packages With 2 Billion Weekly Downloads
  What Happened? Attackers recently carried out a significant software supply chain attack by...
Call Us: (800) 713-2618

Ready to eliminate fraud?

Start fighting fraud now with 1,000 Free Lookups! We're happy to answer any questions or concerns. Chat with our fraud detection experts any day of the week.

Start Your Free Trial Schedule a Demo