Notifications
Clear all
Topic starter
08/06/2026 4:21 pm
TL;DR: Compromised OAuth tokens in Salesloft Drift gave attackers unauthorized access to connected apps, including Salesforce, and reports said they searched those environments for embedded secrets and credentials, according to Cyera. The incident shows that integration trust, not just login security, now defines the real blast radius for NHI governance.
NHIMG editorial — based on content published by Cyera covering the Salesloft Drift exposure: Lessons from the Salesloft Drift Exposure
Questions worth separating out
Q: What breaks when OAuth tokens are compromised in connected SaaS environments?
A: When OAuth tokens are compromised, attackers can inherit delegated access without defeating passwords or MFA.
Q: Why do third-party integrations increase the risk of secret exposure?
A: Third-party integrations increase risk because they often move data across systems that were never designed as credential stores.
Q: How should security teams reduce blast radius in SaaS integration chains?
A: Security teams should reduce blast radius by scoping every integration tightly, removing unused apps, and mapping where sensitive data flows after the initial connection.
Practitioner guidance
- Audit every OAuth-connected integration Inventory all third-party apps connected to core SaaS platforms, document the scopes they hold, and remove any integration that no longer has a business owner or current use case.
- Scan SaaS records for embedded secrets Search Salesforce objects, notes, attachments, and similar records for API keys, tokens, and credentials, then remove and rotate any exposed material before it can be reused.
- Shorten integration privilege windows Apply least privilege to OAuth scopes, enforce periodic recertification, and rotate or revoke tokens when business context changes rather than leaving long-lived access in place.
What's in the full article
Cyera's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on identifying secrets inside Salesforce data objects and similar SaaS records.
- Operational detail on how Cyera maps third-party app access across connected environments.
- Examples of how to reduce over-permissive sharing and clean up exposed credentials.
- Cyera's product-specific visibility workflow for responding to integration-driven exposure.
👉 Read Cyera's analysis of the Salesloft Drift OAuth token exposure →
Salesloft Drift token exposure: what IAM teams need to change?
Explore further
08/06/2026 5:57 pm
Integration trust is now an identity governance boundary, not a convenience layer. OAuth tokens were designed for delegated access, but this incident shows that the real risk sits in the trust relationship between applications. Once tokens can move across connected SaaS systems, identity governance has to account for where access can travel, not just where it was granted. Practitioners should treat integrations as first-class identity subjects in governance reviews.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, leaving integration governance materially incomplete.
A question worth separating out:
Q: Who is accountable when a third-party SaaS integration exposes customer data?
A: Accountability usually remains with the organisation that granted the access, even when the technical failure originates in a third-party integration. Governance teams must own recertification, offboarding, and scope review for connected apps, because the business retains the risk of exposed data and reused credentials. Frameworks such as NIST CSF and zero-trust governance both assume that delegated access is continuously managed.
👉 Read our full editorial: Salesloft Drift exposure shows OAuth tokens can widen SaaS blast radius
