Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Salesloft Drift OAuth breach: what IAM teams missed


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Salesloft’s Drift AI chat integration was breached through stolen OAuth access and refresh tokens, letting attackers access Salesforce directly, harvest customer data, and uncover additional cloud secrets across hundreds of organisations, according to Token Security. The incident shows that machine identities with broad trust can bypass human-centric controls and turn one integration into many downstream compromises.

NHIMG editorial — based on content published by Token Security covering the Salesloft Drift OAuth breach: NHI exposure through delegated third-party access

Questions worth separating out

Q: How should security teams handle stolen OAuth tokens in SaaS environments?

A: Treat stolen OAuth tokens as compromised production identities, not just leaked secrets.

Q: Why do third-party integrations create more identity risk than human logins?

A: Third-party integrations often hold persistent, broad, and poorly observed access to sensitive systems.

Q: What breaks when OAuth scopes are too broad for a SaaS integration?

A: Broad scopes collapse the boundary between routine app activity and attacker-controlled access.

Practitioner guidance

  • Inventory every third-party OAuth integration Map which SaaS applications hold delegated access, who owns them, what scopes they carry, and which downstream datasets they can query or export.
  • Reduce token scope before the next review cycle Remove broad read and export permissions from integrations that do not need them, and separate operational access from reporting access where possible.
  • Baseline machine behaviour for high-value apps Define normal query volume, object traversal, and export patterns for each integration, then alert on unusual access to customer records or secrets.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • A step-by-step breakdown of how the Drift integration was compromised and how the attacker moved through Salesforce.
  • Specific examples of the secrets and customer records exposed during the campaign.
  • Token Security's product-side visibility and remediation workflow for discovering compromised NHIs.
  • The vendor's explanation of how its NHI discovery and response model maps to this breach pattern.

👉 Read Token Security's analysis of the Salesloft Drift OAuth breach →

Salesloft Drift OAuth breach: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Third-party OAuth trust is now an identity perimeter, not an integration detail: The Salesloft Drift breach shows that delegated access can become the real front door into SaaS data. Once a token is stolen, the platform still sees an authorised machine, which means traditional user-authentication controls are watching the wrong boundary. Practitioners should treat third-party OAuth trust as a governed identity surface, not a convenience layer.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • In the same research, only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which explains why delegated access keeps outrunning governance.

A question worth separating out:

Q: Who is accountable when a machine identity exposes customer data?

A: Accountability sits with the team that owns the integration, the platform team that granted the scope, and the security function that failed to govern the token lifecycle. For SaaS and cloud programmes, machine identities need explicit ownership, review, and revocation processes just like privileged human access.

👉 Read our full editorial: Salesloft Drift OAuth breach shows why NHI governance failed



   
ReplyQuote
Share: