Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Salesloft Drift token misuse: what IAM teams need to reassess


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Misused OAuth tokens linked to the Salesloft Drift integration enabled unauthorized access to Salesforce data between August 8 and 18, 2025, affecting hundreds of customers, according to Omada Identity. The incident shows how third-party OAuth exposure can outpace visibility, offboarding, and trust controls for NHI governance.

NHIMG editorial — based on content published by Omada Identity covering the Salesloft Drift OAuth token incident: an update on third-party access exposure through Salesforce-connected data

By the numbers:

Questions worth separating out

Q: What breaks when third-party OAuth tokens are not tightly governed?

A: Delegated access turns into standing access that outlives the business need, the approval owner, and sometimes the vendor relationship itself.

Q: Why do third-party SaaS integrations increase identity risk in CRM environments?

A: They connect external applications directly to customer data, making the integration itself part of the identity attack surface.

Q: How can security teams know whether OAuth-connected applications are actually under control?

A: They should be able to name every integration owner, every granted scope, every active token, and every revocation trigger.

Practitioner guidance

  • Inventory every third-party OAuth grant Build a live register of connected applications, owners, scopes, last review date, and revocation path for every Salesforce-linked integration and other SaaS connector.
  • Shorten integration offboarding cycles Require immediate removal of integrations that are no longer needed, especially when vendor relationships change or the business owner cannot justify the access.
  • Restrict OAuth scopes to the minimum data set Audit every connector for overbroad read and write permissions, then narrow scopes to the smallest practical set of objects and API actions.

What's in the full article

Omada Identity's full update covers the operational details this post intentionally leaves for the source:

  • The incident timeline for the Salesloft Drift OAuth misuse and how Omada verified the exposure scope.
  • The specific customer data categories reviewed during the investigation and how the company determined the platform was not impacted.
  • The response actions taken after notification, including integration removal, API disabling, and internal investigation steps.
  • The customer guidance language issued by Omada for validating inbound communications and protecting credentials.

👉 Read Omada Identity's update on the Salesloft Drift OAuth token incident →

Salesloft Drift token misuse: what IAM teams need to reassess?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Third-party OAuth access is an identity problem, not a tooling problem. This incident shows how external application trust can create a standing access path even when the primary platform remains uncompromised. The governance failure sits in delegated access approval, scope ownership, and revocation discipline. Practitioners should treat every third-party integration as an identity with its own lifecycle, not as a one-time technical dependency.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 20% have formal processes for offboarding and revoking API keys, which is why delegated access often persists after business use ends.

A question worth separating out:

Q: Who is accountable when a third-party integration exposes customer data?

A: Accountability sits with the organisation that approved and retained the integration, even if the technical fault lies with a vendor app. Frameworks such as OWASP Non-Human Identity Top 10 and Zero Trust both point toward explicit ownership, bounded access, and fast revocation for delegated identities.

👉 Read our full editorial: Salesloft Drift token misuse exposes Salesforce NHI governance gaps



   
ReplyQuote
Share: