it

How attackers hit 700 organizations through CX platforms your SOC already approved

Published: (February 19, 2026 at 03:30 PM EST)
6 min read
Source: VentureBeat

Source: VentureBeat

CX Platforms and the Hidden AI‑Engine Threat

CX platforms process billions of unstructured interactions a year—survey forms, review sites, social feeds, call‑center transcripts—all flowing into AI engines that trigger automated workflows touching payroll, CRM, and payment systems.

No tool in a security‑operation‑center leader’s stack inspects what a CX platform’s AI engine is ingesting, and attackers have figured this out. They poison the data feeding it, and the AI does the damage for them.

The Salesloft/Drift Breach (August 2025)

  • Attackers compromised Salesloft’s GitHub environment.
  • They stole Drift chatbot OAuth tokens and accessed Salesforce environments across 700+ organizations, including Cloudflare, Palo Alto Networks, and Zscaler.
  • The threat actors then scanned stolen data for AWS keys, Snowflake tokens, and plaintext passwords.
  • No malware was deployed.

Why This Gap Matters

  • 98 % of organizations have a data‑loss‑prevention (DLP) program, but only 6 % have dedicated resources (Proofpoint 2025 Voice of the CISO report, 1,600 CISOs, 16 countries).
  • 81 % of interactive intrusions now use legitimate access rather than malware (CrowdStrike 2025 Threat Hunting Report).
  • Cloud intrusions surged 136 % in the first half of 2025.

“Most security teams still classify experience‑management platforms as ‘survey tools,’ which sit in the same risk tier as a project‑management app,”
Assaf Keren, Chief Security Officer at Qualtrics and former CISO at PayPal, told VentureBeat in a recent interview.
“This is a massive miscategorization. These platforms now connect to HRIS, CRM, and compensation engines.”

Qualtrics alone processes 3.5 billion interactions annually, a figure the company says has doubled since 2023. Organizations can’t afford to skip steps on input integrity once AI enters the workflow.

Six Blind Spots Between the Security Stack and the AI Engine

  1. DLP cannot see unstructured sentiment data leaving through standard API calls

    • Most DLP policies classify structured PII (names, emails, payment data).
    • Open‑text CX responses contain salary complaints, health disclosures, and executive criticism—none match standard PII patterns.
    • When a third‑party AI tool pulls that data, the export looks like a routine API call, and the DLP never fires.

  2. Zombie API tokens from finished campaigns are still live

    • Example: A CX campaign ended six months ago, but the OAuth tokens connecting the CX platform to HRIS, CRM, and payment systems were never revoked.
    • Each token becomes a lateral‑movement path.
    • JPMorgan Chase CISO Patrick Opet flagged this risk in his April 2025 open letter, warning that SaaS integration models create “single‑factor explicit trust between systems” through tokens “inadequately secured … vulnerable to theft and reuse.”

  3. Public input channels have no bot mitigation before data reaches the AI engine

    • A web‑app firewall inspects HTTP payloads for a web application, but that coverage does not extend to a Trustpilot review, a Google Maps rating, or an open‑text survey response that a CX platform ingests as legitimate input.
    • Fraudulent sentiment flooding those channels is invisible to perimeter controls.
    • VentureBeat asked security leaders and vendors whether anyone covers input‑channel integrity for public‑facing data sources feeding CX AI engines; the category does not exist yet.

  4. Lateral movement from a compromised CX platform runs through approved API calls

    • “Adversaries aren’t breaking in, they’re logging in,” said Daniel Bernard, Chief Business Officer at CrowdStrike, in an exclusive interview.
    • “It’s a valid login. So from a third‑party ISV perspective, you have a sign‑in page, you have two‑factor authentication. What else do you want from us?”
    • The threat extends to human and non‑human identities alike. Bernard described the aftermath: “All of a sudden, terabytes of data are being exported out. It’s non‑standard usage. It’s going places where this user doesn’t go before.”
    • A SIEM sees the authentication succeed but does not see the behavioral shift. Without what Bernard calls software‑posture management covering CX platforms, the lateral movement runs through connections the security team already approved.

  5. Non‑technical users hold admin privileges nobody reviews

    • Marketing, HR, and customer‑success teams configure CX integrations because they need speed, but the SOC may never see them.
    • “Security has to be an enabler,” Keren says, “or teams route around it.”
    • Any organization that cannot produce a current inventory of every CX platform integration and the admin credentials behind them has shadow‑admin exposure.

  6. Open‑text feedback hits the database before PII gets masked

    • Employee surveys capture complaints about managers by name, salary grievances, and health disclosures.
    • Customer feedback can expose account details, purchase history, and service disputes.
    • None of this hits a structured PII classifier because it arrives as free text.
    • If a breach exposes it, attackers get unmasked personal information alongside the lateral‑movement path.

Nobody Owns This Gap

These six failures share a root cause: SaaS security‑posture management (SSPM) has matured for Salesforce, ServiceNow, and other enterprise platforms, but CX platforms never got the same treatment.

  • No one monitors user activity, permissions, or configurations inside an experience‑management platform.
  • Policy enforcement on AI workflows processing that data does not exist.
  • When bot‑driven input or anomalous data exports hit the CX application layer, nothing detects them.

Security teams are responding with what they have—some are extending SSPM tools to cover CX platform configurations and policies, but a dedicated, unified approach is still missing.

Missions

API security gateways offer another path, inspecting token scopes and data flows between CX platforms and downstream systems. Identity‑centric teams are applying CASB‑style access controls to CX admin accounts.

None of those approaches delivers what CX‑layer security actually requires:

  • Continuous monitoring of who is accessing experience data
  • Real‑time visibility into misconfigurations before they become lateral‑movement paths
  • Automated protection that enforces policy without waiting for a quarterly review cycle

The first integration purpose‑built for that gap

It connects posture management directly to the CX layer, giving security teams the same coverage over program activity, configurations, and data access that they already expect for Salesforce or ServiceNow.

  • CrowdStrike’s Falcon Shield + Qualtrics XM Platform = the pairing behind it
  • Security leaders quoted by VentureBeat said this is the control they have been building manually — and losing sleep over.

The blast radius security teams are not measuring

Most organizations have mapped the technical blast radius. “But not the business blast radius,” Keren said.

When an AI engine triggers a compensation adjustment based on poisoned data, the damage is not a security incident. It is a wrong business decision executed at machine speed. That gap sits between the CISO, the CIO, and the business‑unit owner. Today no one owns it.

“When we use data to make business decisions, that data must be right,” Keren said.

Action steps

  1. Run the audit – start with the zombie tokens.
  2. Recognize that Drift‑scale breaches begin there.
  3. Validate a 30‑day window. The AI will not wait.
0 views
#it #startups #ai
View source
Share:
Back to Blog

Related posts

Read more »