Salesloft breach: what the OAuth token chain means for IAM teams

TL;DR: The Salesloft Drift breach hit 700+ organisations through stolen OAuth tokens after attackers moved from GitHub into AWS and then into customer systems, exposing logs, integration trust, and static secret assumptions, according to Clutch Security. The breach shows that faster response cannot compensate for architecture built on reusable trust and standing credentials.

NHIMG editorial — based on content published by Clutch Security covering the Salesloft breach: Five Hard Truths About the Salesloft Breach That Nobody Wants to Discuss

By the numbers:

• The Salesloft Drift breach hit 700+ organizations in August 2025.

Questions worth separating out

Q: What breaks when OAuth tokens are reused across connected systems?

A: Reusable OAuth tokens turn one compromised identity into trusted access across multiple platforms, which lets attackers move from a single foothold to customer data exposure without breaking authentication.

Q: Why do NHI integrations increase breach blast radius?

A: NHI integrations increase blast radius because one account often connects repositories, cloud infrastructure, SaaS data, and customer-facing workflows.

Q: How do you know if your integration controls are actually working?

A: Look for evidence that tokens are bound to a narrow context, that logs are available during incidents, and that unexpected source locations are blocked rather than merely alerted on.

Practitioner guidance

• Map every upstream integration path to its downstream blast radius Identify which GitHub, cloud, SaaS, and OAuth relationships can unlock production data or customer systems.
• Restrict integration trust to known execution contexts Apply source IP, audience, and environment restrictions to non-human credentials so tokens cannot be replayed from arbitrary cloud hosts or Tor exit nodes.
• Treat investigation access as a security control Ensure logs, audit trails, and event monitoring for third-party and non-human identities are available without commercial blockers during an incident.

What's in the full article

Clutch Security's full blog post covers the operational detail this post intentionally leaves for the source:

• A breach timeline that traces the GitHub compromise into AWS and then into customer-facing OAuth abuse.
• The remediation discussion around weekly credential rotation and external service review, including the limits of cleanup after compromise.
• The argument for IP-based restrictions on Salesforce OAuth integrations and why that control would have blocked the observed attack path.
• The article's own examples of how transparency, logging access, and assume-leak thinking change incident handling.

👉 Read Clutch Security's analysis of the Salesloft breach and OAuth token abuse →

Salesloft breach: what the OAuth token chain means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →