How attackers hit 700 organizations through CX platforms your SOC already approved

The rise of CX platforms has revolutionized the way businesses interact with customers, processing billions of unstructured interactions annually. From survey forms to social media feeds, these platforms utilize AI engines to trigger automated workflows that touch various systems within an organization, such as payroll, CRM, and payment systems. However, a crucial gap in security measures has been exposed, allowing attackers to exploit these platforms by poisoning the data they ingest.

The Salesloft/Drift breach in August 2025 highlighted the severity of this issue. Attackers were able to compromise Salesloft’s GitHub environment, steal Drift chatbot OAuth tokens, and access Salesforce environments across over 700 organizations, including major companies like Cloudflare, Palo Alto Networks, and Zscaler. Despite no malware being deployed, the attackers were able to scan stolen data for sensitive information like AWS keys, Snowflake tokens, and plaintext passwords.

This gap in security measures is more significant than many security leaders realize. Despite 98% of organizations having a data loss prevention (DLP) program in place, only 6% have dedicated resources specifically allocated to this issue. Additionally, the majority of interactive intrusions now utilize legitimate access rather than malware, with cloud intrusions seeing a 136% surge in the first half of 2025.

Assaf Keren, chief security officer at Qualtrics, emphasized the need to recognize experience management platforms as more than just survey tools. These platforms now have connections to critical systems like HRIS, CRM, and compensation engines, making them a prime target for cyber attacks.

VentureBeat conducted interviews with security leaders to identify six common blind spots between the security stack and the AI engine within CX platforms:

1. DLP cannot detect unstructured sentiment data leaving through standard API calls.
2. Zombie API tokens from finished campaigns remain active, posing a security risk.
3. Public input channels lack bot mitigation, allowing fraudulent data to reach the AI engine unchecked.
4. Compromised CX platforms can facilitate lateral movement through approved API calls.
5. Non-technical users often hold admin privileges that go unnoticed by security teams.
6. Open-text feedback containing sensitive information may bypass PII classification, putting data at risk.

These failures stem from a lack of SaaS security posture management for CX platforms, leaving a significant gap in monitoring user activity, permissions, and configurations within these systems. Security teams are beginning to address these vulnerabilities by extending existing tools and implementing new strategies to enhance security measures.

One proposed solution involves integrating posture management directly into the CX layer, providing continuous monitoring of user activity, configuration changes, and data access. This approach aims to provide security teams with the same level of coverage and protection for CX platforms as they currently have for other enterprise systems like Salesforce or ServiceNow.

Ultimately, addressing these security gaps is crucial for protecting organizations from devastating breaches and ensuring that data-driven business decisions are based on accurate and secure information. By identifying and remedying these blind spots, businesses can strengthen their cybersecurity posture and safeguard against potential threats in the evolving digital landscape.