TL;DR: Salesloft Drift OAuth tokens were used to access Salesforce and Gmail, and WideField says the incident appears broader than the original Salesforce path, with activity tied to malicious IPs and downstream discovery of stored secrets, according to WideField Security. The breach shows that connected app trust and token retention remain weak points in identity governance.
NHIMG editorial — based on content published by WideField Security covering the Salesloft Drift compromise and downstream OAuth token abuse
By the numbers:
- 700 Salesforce customers were potentially impacted, y impacted, according to a Google Threat Intelligence Group analyst.
- The incident generated 191 suspicious log events across Gmail and Salesforce during the August 9 to 19 window.
- WideField observed 183 Gmail access events from one IP address tied to the compromised Drift Email activity.
Questions worth separating out
Q: What breaks when a third-party SaaS app token is compromised?
A: A compromised SaaS app token turns delegated access into attacker-controlled access, often without triggering normal login alarms.
Q: Why do connected apps increase identity risk in SaaS environments?
A: Connected apps extend trust beyond the user session and create durable non-human access paths through OAuth grants and refresh tokens.
Q: How can security teams know whether token revocation actually worked?
A: Teams should test whether old access paths fail, not just whether the app shows as disconnected.
Practitioner guidance
- Inventory every connected app grant Build a current register of all Drift and similar third-party app connections, including which users, tenants, and scopes each grant can still exercise.
- Revoke and verify token invalidation Revoke affected app connections and then test whether old access tokens, refresh tokens, and legacy app links truly fail.
- Search SaaS records for embedded secrets Query Salesforce and other SaaS platforms for API keys, VPN credentials, Snowflake tokens, and similar secrets stored in notes, cases, fields, or attachments.
What's in the full article
WideField Security's full research covers the operational detail this post intentionally leaves for the source:
- The per-application impact breakdown across Drift-Salesforce and Drift Email-Gmail paths, including the specific log patterns used to validate compromise
- The incident response guidance for revoking connected app access and reauthorizing integrations in Salesforce and related systems
- The IOCs and malicious IP context that support threat hunting in SaaS activity logs
- The follow-on discussion of logging gaps, response workflow weaknesses, and why many organisations miss OAuth abuse until after data access occurs
👉 Read WideField Security's analysis of the Salesloft Drift OAuth token compromise →
Salesloft Drift token compromise: what IAM teams need to do?
Explore further
Connected app consent is not a one-time trust decision: it is a standing identity relationship that can outlive the security assumptions made at approval time. In this incident, the token became the real subject of trust, not the user who granted access. That means third-party app governance has to be treated as an ongoing lifecycle control, not a procurement-time checkbox. Practitioners should treat every OAuth grant as an active identity object with expiry, scope, and revocation state.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026.
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
A question worth separating out:
Q: Who is accountable when a third-party integration breach spreads across SaaS systems?
A: Accountability sits with the organisation that approved the integration, the team that owns the data exposed through it, and the vendors that provide the connected-app controls. Frameworks such as OWASP Non-Human Identity Top 10 and NIST CSF support shared governance, but the security team still needs an owned revocation and review process.
👉 Read our full editorial: Salesloft Drift compromise exposes OAuth token risk across apps