Notifications
Clear all
Topic starter
25/06/2026 3:10 pm
TL;DR: UNC6395 stole Salesforce OAuth tokens tied to Drift, used them to impersonate a trusted integration, and exfiltrated data and embedded credentials from Salesforce records, according to Aembit and Google Threat Intelligence Group and Mandiant. The incident shows that long-lived tokens and secrets sprawl turn SaaS platforms into identity infrastructure without the governance to match.
NHIMG editorial — based on content published by Aembit covering the Salesforce and Drift OAuth token compromise: Salesforce data-theft attacks and NHI exposure through delegated access
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when a trusted SaaS integration is over-permissioned?
A: A trusted SaaS integration becomes an attacker’s shortcut when its OAuth token has broader access than the business process requires.
Q: Why do OAuth tokens create more risk than simple application passwords?
A: OAuth tokens often carry delegated authority across multiple objects and APIs, so they can expose far more than a single login.
Q: How do security teams know if secrets are being stored in the wrong place?
A: Look for credentials in records, attachments, ticket fields, code repositories, and integration logs.
Practitioner guidance
- Audit connected applications for standing OAuth privilege Inventory every SaaS-to-SaaS integration, identify the scopes each token can use, and map that access to a named owner and business purpose.
- Remove secrets from queryable business records Search CRM objects, notes, attachments, and custom fields for API keys, service passwords, and cloud tokens.
- Review OAuth lifecycle controls after every integration change Tie connected-app review to deployment, vendor changes, and scope expansion.
What's in the full article
Aembit's full analysis covers the operational detail this post intentionally leaves for the source:
- The specific Salesforce and Drift trust chain that enabled token abuse and downstream data access
- The immediate remediation steps for revoked tokens, query-log review, and connected-app scope reduction
- The broader argument for identity-aware mediation between SaaS platforms and their delegated credentials
- The related incident context that shows why this is a recurring NHI governance problem rather than a one-off event
👉 Read Aembit's analysis of the Salesforce and Drift OAuth token breach →
Salesforce and Drift token abuse: what IAM teams missed?
Explore further
25/06/2026 4:31 pm
Standing SaaS integration trust is now a non-human identity problem, not an application convenience issue. The attacker did not need to break Salesforce directly because the integration itself had been granted legitimate authority. That means the real control failure sits in delegated access design, scope governance, and lifecycle revocation, not in perimeter defence. Practitioners should treat every connected application as an identity with a defined lifecycle, not as a durable technical dependency.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who should own the risk when a SaaS integration is compromised?
A: Ownership should sit with the team that approved the integration and the business function that depends on it, not just with security operations. They must be able to answer who can revoke the token, how scope is reviewed, and when access expires. Without explicit ownership, connected-app risk becomes everyone’s problem and nobody’s responsibility.
👉 Read our full editorial: Salesforce and Drift token abuse exposes the NHI trust gap
