Salesforce/Salesloft Cyber Incident 2025: Identity and API Crisis Analysis

The dicussion in this podcast provides an extensive post-mortem and strategic analysis of the 2025 Salesforce/Salesloft cyber incident, attributed to the threat actor UNC6395, which exposed a critical failure in SaaS supply chain security. The attack circumvented perimeter defenses by compromising the vendor’s infrastructure to steal pre-authorised OAuth tokens, granting the attackers persistent, legitimate API access to hundreds of customer environments, including major cybersecurity firms. The analysis explains that this identity-first attack vector was highly effective because it abused excessive privileges granted to the third-party application, allowing for rapid, high-volume data exfiltration via the Salesforce Bulk API. Consequently, it mandates a strategic shift toward rigorous API governance, granular token scoping, and continuous SaaS security posture management to mitigate widespread lateral movement risk and address the resulting regulatory and negligence lawsuit crisis.