TL;DR: Attackers used stolen OAuth tokens from the Salesloft Drift integration to access Salesforce customer instances and hunt for credentials across connected services, including AWS, Snowflake, Slack, Azure, Google Workspace, and OpenAI, according to Defakto Security. The incident shows that long-lived secrets act as toxic data and that rotation alone cannot repair the broken trust model behind non-human identity governance.
NHIMG editorial — based on content published by Defakto Security: Real-World Lessons From OAuth Tokens to API Keys, the toxic data behind the Salesloft Drift and Salesforce breach
By the numbers:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
Questions worth separating out
Q: What breaks when a third-party OAuth integration is compromised?
A: When a third-party OAuth integration is compromised, the attacker inherits the delegated permissions already granted to that connector and can move through whichever services trust it.
Q: Why do long-lived API keys and tokens create so much risk?
A: Long-lived API keys and tokens create risk because they persist across logs, tickets, chats, and automation pipelines long after the original use case ends.
Q: How do security teams know whether secret rotation is actually reducing exposure?
A: Rotation is working only if exposure shrinks in both lifetime and reach.
Practitioner guidance
- Inventory every third-party OAuth grant Build a complete register of integrations, the scopes they hold, and the business owner responsible for each grant.
- Shorten credential lifetime by design Replace persistent API keys and long-lived OAuth secrets with short-lived identities where the platform supports it.
- Track secret sprawl outside code Extend discovery to Slack, Jira, Confluence, support tickets, and logs because those are common places where secrets are copied and later reused.
What's in the full article
Defakto Security's full analysis covers the operational detail this post intentionally leaves for the source:
- How the Salesloft Drift token path mapped into Salesforce customer access and what was exposed at each stage.
- The supplier-side and customer-side containment steps required after token theft spreads across multiple SaaS services.
- Why API keys, passwords, and OAuth tokens behave as toxic data when they are copied into collaboration and automation tooling.
- What a shift to short-lived, scoped identities would change in real integration workflows.
👉 Read Defakto Security's analysis of the Salesloft Drift token theft and Salesforce exposure →
Salesloft Drift token theft: what it means for SaaS trust models?
Explore further
Toxic data is the right name for long-lived secrets. Credentials are not inert configuration objects. Once they are copied into tickets, logs, chats, and automation pipelines, they become persistent trust artefacts that can outlive the business purpose that created them. The Salesloft Drift incident shows that the real breach surface is not the application alone but the distributed secret ecosystem around it. Practitioners should treat secret persistence as an exposure problem, not a housekeeping problem.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: Who is accountable when a supplier integration exposes customer credentials?
A: Accountability sits with both the supplier that issued or stored the compromised secret and the customer that trusted the integration without a clear lifecycle model. Governance frameworks should define ownership for scope, revocation, and downstream impact before the next incident. Otherwise, response becomes a scramble after the fact.
👉 Read our full editorial: Salesloft Drift token theft exposes the toxic data model in SaaS