How Attackers Breached 700 Organizations via CX Platforms

How Did Attackers Compromise 700 Organizations Through Approved CX Platforms?

In a startling incident, attackers exploited vulnerabilities in customer experience (CX) platforms, breaching over 700 organizations, including major players like Cloudflare and Zscaler. This breach, linked to the Salesloft and Drift incident in August 2025, exposes a significant oversight in security operations centers (SOCs). It serves as a crucial reminder of the gaps in how organizations secure their CX platforms.

CX platforms handle billions of unstructured interactions annually, from survey forms to social media feedback. These platforms feed vast amounts of data into AI engines that trigger automated workflows affecting payroll, customer relationship management (CRM), and payment systems. However, SOC tools often fail to inspect the data these AI engines ingest. Attackers have seized this vulnerability, poisoning the data and causing AI systems to execute harmful actions.

What Happened in the Salesloft/Drift Incident?

The breach of Salesloft’s GitHub environment marked a pivotal moment in cybersecurity. Attackers stole Drift chatbot OAuth tokens, gaining unauthorized access to Salesforce environments across numerous organizations. They scanned the stolen data for sensitive information, such as AWS keys and plaintext passwords, all without deploying malware. This incident highlights a chilling reality: traditional security measures are inadequate against advanced, non-malicious exploits.

According to Proofpoint’s 2025 Voice of the CISO report, 98% of organizations have a data loss prevention (DLP) program, yet only 6% allocate dedicated resources for it. Additionally, CrowdStrike’s 2025 Threat Hunting Report reveals that 81% of interactive intrusions now utilize legitimate access. With cloud intrusions surging by 136% in the first half of 2025, security leaders must reassess their strategies.

What Are the Blind Spots in CX Platform Security?

Assaf Keren, Chief Security Officer at Qualtrics, points out a critical issue: many security teams mistakenly view experience management platforms as benign survey tools. This misclassification overlooks the risks associated with these platforms, which increasingly integrate with sensitive systems like HRIS and CRM.

In discussions with security leaders, six control failures consistently emerged as significant blind spots:

1. DLP Cannot See Unstructured Sentiment Data: Standard DLP policies focus on structured personally identifiable information (PII), leaving unstructured data—like employee grievances or customer feedback—unmonitored.
2. Zombie API Tokens from Finished Campaigns: OAuth tokens from past campaigns often remain active, creating lateral movement paths for attackers. Proper revocation is essential.
3. Public Input Channels Lack Bot Mitigation: While web application firewalls inspect HTTP payloads, they do not scrutinize inputs from public channels like Trustpilot or Google Maps, allowing fraudulent data to infiltrate CX platforms.
4. Lateral Movement Through Approved API Calls: Attackers can log in using valid credentials, leading to unauthorized data exports. SIEM systems may not detect this unusual activity without proper behavioral monitoring.
5. Non-Technical Users with Admin Privileges: Marketing and HR teams often configure integrations without SOC oversight, creating shadow admin risks. Organizations must maintain an inventory of all CX platform integrations.
6. Open-Text Feedback Hits Databases Before PII Masking: Unstructured feedback can contain sensitive information that PII classifiers may not flag, exposing individuals to potential data breaches.

Who Is Responsible for the Security Gap?

The common thread among these failures is the lack of dedicated security for CX platforms. While SaaS security posture management (SSPM) has advanced for enterprise platforms like Salesforce, CX platforms remain overlooked. Consequently, user activities and configurations within these platforms go unmonitored.

To address this gap, organizations are exploring various solutions. Some extend SSPM tools to cover CX platform configurations, while others implement API security gateways to inspect token scopes and data flows. However, these measures often fall short of fulfilling the comprehensive security needs of CX platforms.

Why Is Continuous Monitoring Essential?

Security leaders stress the importance of continuous monitoring for experience data access and real-time visibility into configurations. This proactive approach can help identify misconfigurations and prevent lateral movement before it leads to significant breaches.

The first purpose-built integration for this gap connects security posture management directly to the CX layer. This integration aims to provide security teams with the oversight they expect for established platforms like Salesforce.

What Is the Impact of a Breach?

Most organizations assess the technical blast radius of a breach, but few consider the business impact. When AI engines make decisions based on compromised data, the consequences extend beyond security incidents into operational failures. This gap remains unaddressed between CISOs, CIOs, and business unit owners, highlighting the need for a unified approach to data integrity.

What Steps Can Security Teams Take?

Organizations must take proactive measures to mitigate these risks. Here are some actionable steps:

• Run an Audit: Start with an inventory of all CX platform integrations and review OAuth tokens to ensure they are revoked when no longer needed.
• Implement Continuous Monitoring: Invest in tools that provide real-time visibility into user activities and configurations within CX platforms.
• Educate Non-Technical Users: Ensure that teams outside of IT understand the security implications of their integrations and configurations.
• Review DLP Policies: Update DLP strategies to include unstructured data and establish protocols for monitoring sentiment data.

Conclusion: How Can Organizations Protect Themselves?

The breach affecting 700 organizations through CX platforms serves as a stark reminder of the vulnerabilities within seemingly benign tools. Security leaders must prioritize the integrity of data flowing into AI engines and address the blind spots that could lead to significant breaches. By understanding the risks and taking proactive steps, organizations can better protect themselves against evolving threats in the digital landscape.