• About
• Latest Posts

Purism

Beautiful, Secure, Privacy-Respecting Laptops, Tablets, PCs, and Phones

Latest posts by Purism (see all)

• Invisible Dependencies, Visible Damage: The Case for Supply Chain Hygiene - September 12, 2025
• From Typhoon to Action: A Purism Playbook for Hardening Your Defenses - September 11, 2025
• Apple’s Latest iPhone: Sleeker Walls, Same Garden - September 10, 2025

The Salesforce–Salesloft Breach and the Case for Supply Chain Hygiene

On September 8th, Check Point Research confirmed what many of us in the privacy and security trenches have been warning about for years: the weakest link in your security posture may not be your systems at all — it may be the invisible web of third-party integrations you’ve tacitly approved, often without full visibility into their downstream dependencies.

The latest example? A supply chain breach involving Salesloft’s Drift integration to Salesforce. Threat actor UNC6395 exploited compromised OAuth tokens to access Salesforce CRM systems, siphoning off:

• Contact details
• Account records
• Support case data
• Authentication tokens and cloud secrets

Victims include some of the most security-conscious organizations in the world — Cloudflare, Zscaler, Palo Alto Networks, Workiva — and potentially over 700 organizations in total.

This wasn’t a brute-force attack on Salesforce itself. It was a precision strike through an approved integration — a trusted bridge that became a backdoor.

The Hygiene Problem in the Supply Chain

In physical supply chains, hygiene is about ensuring every supplier, transporter, and handler meets your quality and safety standards. In digital supply chains, hygiene is about knowing and controlling every integration, API, and token that touches your data.

The Salesforce–Salesloft incident is a textbook case of poor supply chain hygiene:

• Overextended Trust – OAuth tokens granted broad, persistent access without granular controls or short lifespans.
• Opaque Dependencies – Many customers didn’t even know their Salesforce data was accessible via Salesloft’s Drift integration.
• Lack of Continuous Verification – Once an integration was approved, it was rarely re-audited for necessity, scope, or security posture.

Purism’s Take: The “Invisible Dependency” Trap

At Purism, we’ve been calling this out for years: when your data lives in someone else’s cloud, every integration you approve extends your attack surface — often without your users’ awareness or consent.

The danger isn’t just the primary vendor. It’s the vendor’s vendors, the SaaS tools they connect to, and the integrations those tools connect to in turn. Each hop is another potential breach vector.

Operationalizing Supply Chain Hygiene

If you’re serious about defending your organization — and your customers — from this class of attack, you need to treat supply chain hygiene as a continuous operational discipline, not a one-time procurement checklist.

Here’s a framework to follow:

1. Inventory Every Integration

• Maintain a live map of all third-party integrations, their scopes, and the data they can access.
• Include indirect integrations — the “friends of friends” in your SaaS ecosystem.

2. Apply Least Privilege to OAuth Tokens

• Scope tokens to the minimum data and actions required.
• Set short expiration windows and require re-authorization.

3. Continuous Verification

• Quarterly (or more frequent) audits of all integrations.
• Remove unused or low-value connections immediately.

4. Vendor-to-Vendor Risk Assessment

• Don’t just vet your vendors — vet their vendors.
• Require contractual obligations for breach notification and security posture transparency.

5. User Awareness

• Make invisible dependencies visible to your internal stakeholders.
• Train teams to understand that “clicking approve” on an integration request is a security decision.

The Strategic Imperative

The Salesforce–Salesloft breach isn’t an anomaly — it’s a preview. As SaaS ecosystems grow denser and more interconnected, attackers will increasingly target the links rather than the nodes.

If you don’t have a supply chain hygiene program, you’re not just vulnerable — you’re already exposed.

The lesson is clear: Security isn’t just about defending your perimeter. It’s about defending every bridge you’ve built to someone else’s.

Purism Products and Availability Chart

	Model	Status	Lead Time
	Librem Key (Made in USA)	In Stock ($59+)	10 business days	Learn More Buy Now
	Liberty Phone (Made in USA Electronics)	In Stock ($1,999+) 4GB/128GB	10 business days	Learn More Buy Now
	Librem 5	In Stock ($799+) 3GB/32GB	10 business days	Learn More Buy Now
	Librem 11	In Stock ($999+) 8GB/1TB	10 business days	Learn More Buy Now
	Librem 14	Out of stock	New Version in Development	Coming Soon
	Librem Mini	Out of stock	New Version in Development	Coming Soon
	Librem Server	In Stock ($2,999+)	45 business days	Learn More Buy Now
	Librem PQC Encryptor	Available Now, contact sales@puri.sm	90 business days	Learn More Contact Us
	Librem PQC Comms Server	Available Now, contact sales@puri.sm	90 business days	Learn More Contact Us