Salesloft Drift token misuse: what IAM teams need to reassess

TL;DR: Misused OAuth tokens linked to the Salesloft Drift integration enabled unauthorized access to Salesforce data between August 8 and 18, 2025, affecting hundreds of customers, according to Omada Identity. The incident shows how third-party OAuth exposure can outpace visibility, offboarding, and trust controls for NHI governance.

NHIMG editorial — based on content published by Omada Identity covering the Salesloft Drift OAuth token incident: an update on third-party access exposure through Salesforce-connected data

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: What breaks when third-party OAuth tokens are not tightly governed?

A: Delegated access turns into standing access that outlives the business need, the approval owner, and sometimes the vendor relationship itself.

Q: Why do third-party SaaS integrations increase identity risk in CRM environments?

A: They connect external applications directly to customer data, making the integration itself part of the identity attack surface.

Q: How can security teams know whether OAuth-connected applications are actually under control?

A: They should be able to name every integration owner, every granted scope, every active token, and every revocation trigger.

Practitioner guidance

• Inventory every third-party OAuth grant Build a live register of connected applications, owners, scopes, last review date, and revocation path for every Salesforce-linked integration and other SaaS connector.
• Shorten integration offboarding cycles Require immediate removal of integrations that are no longer needed, especially when vendor relationships change or the business owner cannot justify the access.
• Restrict OAuth scopes to the minimum data set Audit every connector for overbroad read and write permissions, then narrow scopes to the smallest practical set of objects and API actions.

What's in the full article

Omada Identity's full update covers the operational details this post intentionally leaves for the source:

• The incident timeline for the Salesloft Drift OAuth misuse and how Omada verified the exposure scope.
• The specific customer data categories reviewed during the investigation and how the company determined the platform was not impacted.
• The response actions taken after notification, including integration removal, API disabling, and internal investigation steps.
• The customer guidance language issued by Omada for validating inbound communications and protecting credentials.

👉 Read Omada Identity's update on the Salesloft Drift OAuth token incident →

Salesloft Drift token misuse: what IAM teams need to reassess?

Explore further

View Full Forum →  |  NHI Foundation Course →