TL;DR: The Salesloft Drift breach used stolen OAuth tokens to access Salesforce environments, extract sensitive data, and expose more than 100 API tokens across a chain that reached over 700 customers, according to Silverfort. It shows that integration trust, not just perimeter security, has become the control plane that attackers target.
At a glance
What this is: This is a breach analysis of the Salesloft Drift incident, where stolen OAuth tokens enabled cross-vendor access into Salesforce environments and downstream data exposure.
Why it matters: It matters because IAM, NHI, and PAM teams need to govern delegated SaaS access as a living identity problem, not a one-time integration choice.
By the numbers:
- The tokens allowed Drift to query Salesforce instances on behalf of over 700 customers.
- Cloudflare disclosed that 104 API tokens and sensitive case data were compromised.
👉 Read Silverfort's analysis of the Salesloft Drift breach and cross-vendor token abuse
Context
The Salesloft Drift breach is best understood as a cross-vendor identity failure, not a conventional perimeter event. OAuth tokens gave a third-party integration trusted access to Salesforce environments, which meant the compromise of one delegated identity could cascade across multiple customer organisations.
For identity teams, the core issue is lifecycle and trust boundaries. When service-to-service access is granted through SaaS integrations, the organisation has to assume those credentials are live identities with scope, revocation, monitoring, and offboarding requirements, not passive connectors.
Key questions
Q: What fails when OAuth tokens are treated as harmless integration glue?
A: Governance fails because the token is a delegated identity with real authority, not a neutral connector. If teams do not track scope, ownership, expiry, and revocation, a partner compromise can become trusted access into customer data and hidden secrets. The control failure is lifecycle blindness, not just weak authentication.
Q: Why do cross-vendor integrations increase lateral movement risk?
A: Cross-vendor integrations extend trust across organisations, so one stolen credential can move an attacker through multiple systems without fresh compromise at each hop. The more data and secrets flow through the integration, the more likely that downstream environments inherit the blast radius. Security teams should assess these paths as access chains, not isolated apps.
Q: How should teams reduce risk from secrets hidden in SaaS data?
A: Teams should search business systems such as tickets, attachments, and chat exports for embedded credentials, then remove or rotate anything sensitive. Those repositories often contain cloud keys and tokens that attackers can reuse immediately after exfiltration. Detection without cleanup leaves the same access available to the next intruder.
Q: Who is accountable when a partner token is abused across multiple tenants?
A: Accountability is shared across the SaaS provider, the integration vendor, and the customer that approved the access, but each party owns different control points. The provider must support revocation and monitoring, the vendor must protect delegated credentials, and the customer must govern scope and lifecycle. That division only works when it is documented before an incident.
Technical breakdown
OAuth tokens as delegated non-human identities
OAuth tokens are delegated credentials that let one system act on behalf of another without reauthenticating each time. In this incident, the tokens granted Drift access to Salesforce data under customer-authorised trust, which is why abuse of the token chain mattered more than the initial integration itself. Once tokens are stolen, the attacker inherits the permissions attached to them, including any hidden data paths into tickets, attachments, or support records. That is why OAuth in SaaS ecosystems must be treated as identity infrastructure, not just application plumbing.
Practical implication: inventory all SaaS-issued tokens, their scopes, and their revocation paths before a partner compromise forces emergency action.
Cross-vendor lateral movement through trusted integrations
Cross-vendor lateral movement happens when one compromised integration becomes a bridge into other systems that were never directly breached. The Salesloft chain moved from Drift to Salesforce to customer data and, in some cases, embedded secrets that could unlock further environments. This differs from a single-tenant breach because each hop expands trust rather than simply increasing scale. The attacker does not need to break every target individually; they need only one trusted path with enough privilege and enough data exposure to pivot onward.
Practical implication: review every third-party integration as a potential lateral movement path, not a standalone risk acceptance item.
Secret discovery inside business data and support systems
Support cases, attachments, and CRM records often contain operational secrets that teams never intended to store there. In this breach, attackers searched exported Salesforce data for AWS keys, Snowflake tokens, and other credentials, turning business records into credential discovery surfaces. That pattern matters because exfiltration is only the first phase. The real damage comes when business data contains reusable access material that can unlock cloud services, developer platforms, or additional SaaS estates.
Practical implication: scan CRM and support content for secrets and classify those repositories as credential-bearing systems.
Threat narrative
Attacker objective: The attacker sought trusted, reusable access to customer Salesforce data and the secrets hidden inside it, then used that access to widen compromise across connected environments.
- Entry occurred through theft of OAuth refresh tokens tied to the Salesloft Drift integration with Salesforce, giving the attacker trusted access to customer environments.
- Escalation followed as the attacker exported contact data, case records, and embedded credentials from Salesforce instances on behalf of more than 700 customers.
- Impact extended across organisations when stolen data exposed API tokens and additional secrets that could be used for wider cloud and SaaS compromise.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Tokens are identities, not technical glue. OAuth refresh tokens carry delegated authority and should be governed with the same lifecycle discipline as any other non-human identity. In the Salesloft Drift breach, the token was the trust boundary, not a side effect of the integration. The implication is that SaaS access must be designed around scope, expiry, monitoring, and revocation as first-class identity controls.
Vendor-to-vendor trust chains create identity blast radius that most programmes do not model. Each integration hop increases exposure because compromise at one point can propagate into downstream customer data, then into embedded secrets and other services. This is exactly the sort of chained access path that traditional third-party risk questionnaires miss. The practical conclusion is that integration risk has to be assessed as a path, not as a checkbox.
Cross-vendor lateral movement is the right named concept for this breach. The attack did not rely on brute force against every victim; it exploited trusted relationships already granted across SaaS ecosystems. That makes it a governance problem in shared access and lifecycle offboarding, not just an incident response problem. The field needs to treat cross-vendor identity propagation as a distinct threat pattern.
The 52 NHI breaches Report shows that credential abuse repeatedly follows the same pattern. When secrets, tokens, and certificates are granted broad trust and weak lifecycle control, attackers reuse them faster than organisations can detect them. That pattern maps directly to this breach and supports tighter governance of delegated access across SaaS and cloud estates.
OWASP Non-Human Identity Top 10 is the right control lens for delegated SaaS access. The relevant failure is not only token theft, but over-scoped, under-monitored identity grants that survive longer than their business purpose. Practitioners should use that lens to reassess partner integrations, secret handling, and revocation readiness across every connected system.
From our research:
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers, according to The State of Secrets Sprawl 2026.
- DeepSeek alone generated 113,000 new exposed API keys in 2025, illustrating how quickly new AI ecosystems create credential exposure before governance catches up.
- For the broader control model, see 52 NHI Breaches Analysis for recurring breach patterns and lifecycle failure modes across non-human identities.
What this signals
Cross-vendor identity propagation is becoming the real control plane. The practical problem is no longer just whether a vendor is trusted, but how far that trust travels once OAuth, tickets, attachments, and downstream APIs are linked. Teams that map delegated access as a graph will find exposure faster than teams that still treat integrations as point-to-point relationships.
Service data is now credential-bearing infrastructure. CRM records and support cases can contain tokens, keys, and configuration snippets that turn ordinary business systems into identity repositories. That means data classification, secret scanning, and revocation workflow design need to converge rather than live in separate programmes.
With 64% of valid secrets leaked in 2022 still valid and exploitable today, according to The State of Secrets Sprawl 2026, any response model that stops at detection will miss the real exposure window. Security teams need to plan for cleanup, rotation, and partner notification as a single operating motion.
For practitioners
- Map every delegated SaaS identity Inventory OAuth apps, refresh tokens, API keys, certificates, and service accounts that can read or write customer data. Record scope, owner, expiry, and the exact revocation path for each one.
- Build an integration kill-switch process Pre-approve emergency revocation for partner tokens so security teams can disable access across tenants without waiting for a manual vendor workflow.
- Scan business systems for embedded secrets Search CRM cases, attachments, chat exports, and support logs for cloud keys, tokens, and credentials, then route findings into secret rotation and incident handling.
- Reassess partner trust as a lifecycle control Treat each third-party integration as a governed identity with onboarding, review, monitoring, and offboarding requirements, not a static business dependency.
Key takeaways
- The Salesloft Drift breach exposed a governance gap in delegated SaaS identities, not just a one-off integration compromise.
- Hundreds of tokens, over 700 customers, and 104 compromised API tokens show how quickly cross-vendor trust can expand the blast radius.
- The control that matters most is lifecycle governance for delegated access, including scope, monitoring, secrets scanning, and fast revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Token lifecycle and revocation failures are central to this breach. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and monitoring apply to third-party integrations. |
| NIST Zero Trust (SP 800-207) | Trusted integration paths behaved like implicit trust routes. |
Review delegated token scope and revoke stale access on a fixed lifecycle.
Key terms
- Delegated Credential: A delegated credential is an identity artifact that allows one system to act for another within a defined scope. In SaaS and API ecosystems, it behaves like a live identity because it carries permissions, revocation needs, and audit expectations that outlast a single request.
- Cross-vendor Lateral Movement: Cross-vendor lateral movement is attacker movement that crosses from one trusted provider or integration into another without starting over each time. The chain works because trust is already established between organisations, so compromise at one point can expand into multiple downstream environments.
- Secret-bearing Business Data: Secret-bearing business data is ordinary operational content that also contains credentials, tokens, keys, or configuration values. Support tickets, case notes, attachments, and chat exports often fall into this category, which makes data hygiene a direct identity security issue.
- Identity Blast Radius: Identity blast radius is the amount of access, data, and downstream systems that can be reached when a single identity is abused. For non-human identities, it is shaped by scope, token lifetime, connected apps, and whether revocation is fast enough to matter.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Silverfort covering the Salesloft Drift breach: how attackers abused OAuth tokens to move across connected SaaS environments. Read the original.
Published by the NHIMG editorial team on 2025-09-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org