Salesloft Drift token theft: what it means for SaaS trust models

TL;DR: Attackers used stolen OAuth tokens from the Salesloft Drift integration to access Salesforce customer instances and hunt for credentials across connected services, including AWS, Snowflake, Slack, Azure, Google Workspace, and OpenAI, according to Defakto Security. The incident shows that long-lived secrets act as toxic data and that rotation alone cannot repair the broken trust model behind non-human identity governance.

NHIMG editorial — based on content published by Defakto Security: Real-World Lessons From OAuth Tokens to API Keys, the toxic data behind the Salesloft Drift and Salesforce breach

By the numbers:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
• 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.

Questions worth separating out

Q: What breaks when a third-party OAuth integration is compromised?

A: When a third-party OAuth integration is compromised, the attacker inherits the delegated permissions already granted to that connector and can move through whichever services trust it.

Q: Why do long-lived API keys and tokens create so much risk?

A: Long-lived API keys and tokens create risk because they persist across logs, tickets, chats, and automation pipelines long after the original use case ends.

Q: How do security teams know whether secret rotation is actually reducing exposure?

A: Rotation is working only if exposure shrinks in both lifetime and reach.

Practitioner guidance

• Inventory every third-party OAuth grant Build a complete register of integrations, the scopes they hold, and the business owner responsible for each grant.
• Shorten credential lifetime by design Replace persistent API keys and long-lived OAuth secrets with short-lived identities where the platform supports it.
• Track secret sprawl outside code Extend discovery to Slack, Jira, Confluence, support tickets, and logs because those are common places where secrets are copied and later reused.

What's in the full article

Defakto Security's full analysis covers the operational detail this post intentionally leaves for the source:

• How the Salesloft Drift token path mapped into Salesforce customer access and what was exposed at each stage.
• The supplier-side and customer-side containment steps required after token theft spreads across multiple SaaS services.
• Why API keys, passwords, and OAuth tokens behave as toxic data when they are copied into collaboration and automation tooling.
• What a shift to short-lived, scoped identities would change in real integration workflows.

👉 Read Defakto Security's analysis of the Salesloft Drift token theft and Salesforce exposure →

Salesloft Drift token theft: what it means for SaaS trust models?

Explore further

View Full Forum →  |  NHI Foundation Course →