TL;DR: About 700 Salesloft Drift customers are confirmed to have had OAuth tokens or other access credentials stolen, while Google said a very small amount of Workspace tokens were taken and multiple cybersecurity firms reported downstream compromise, according to Swarmnetics. The incident shows how delegated access, support-ticket content, and integration sprawl can turn one exposed NHI path into broader identity risk.
NHIMG editorial — based on content published by Swarmnetics covering the Salesloft Drift OAuth token theft and downstream compromise
By the numbers:
- Thus far about 700 Salesloft Drift customers are confirmed to have had OAuth tokens or some other access credential stolen in the attack.
- The exact total number of Drift clients is not made public, but thought to be at least 5,000 based on prior Salesloft marketing statements.
Questions worth separating out
Q: What breaks when OAuth tokens are compromised in connected SaaS environments?
A: When OAuth tokens are compromised, attackers can inherit delegated access without defeating passwords or MFA.
Q: Why do OAuth-connected support tools create elevated NHI risk?
A: They concentrate operational secrets in places designed for troubleshooting, not identity governance.
Q: How do teams know whether OAuth token governance is actually working?
A: Look for short token lifetimes, tested revocation, no tokens in logs, and a clean mapping from each integration to an accountable owner.
Practitioner guidance
- Revoke and reissue all Drift-connected credentials Treat every OAuth token, API key, and vendor-managed connection tied to Drift as potentially exposed.
- Search support systems for embedded secrets Scan customer tickets, attachments, chat transcripts, and troubleshooting notes for API keys, bearer tokens, and recovery data.
- Map downstream access from each OAuth app Build a full inventory of what each third-party OAuth app can reach, including Salesforce, support consoles, internal admin tools, and data export paths.
What's in the full analysis
Swarmnetics' full research covers the operational detail this post intentionally leaves for the source:
- The article breaks down which organisations reported token theft versus broader internal compromise.
- It outlines the suspected use of stolen OAuth tokens to search support tickets for secrets and access material.
- It describes the reported impact differences across vendors such as Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, SpyCloud, Tanium, and Tenable.
- It summarises the open questions around the attacker, the Breachstars ransom site, and the investigation timeline.
👉 Read Swarmnetics' analysis of the Salesloft Drift OAuth token theft →
Salesloft Drift token theft: what NHI teams need to review?
Explore further
Stolen OAuth tokens create identity blast radius, not isolated application risk. Once a delegated credential is compromised, the attacker inherits whatever trust the integration already carried. That means the real exposure is often the downstream SaaS, support, and customer-data surface attached to the token, not the integration brand itself. Practitioners should read this as a governance problem in shared trust paths, not a single-vendor incident.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which makes delegated access hard to govern at scale.
A question worth separating out:
Q: Who is accountable when a third-party integration exposes corporate secrets?
A: Accountability is shared, but the enterprise owns the governance failure if it allowed the integration to persist without review. Frameworks such as the OWASP Non-Human Identity Top 10 and Zero Trust Architecture both point to the same expectation: access paths must be continuously verified, bounded, and removable.
👉 Read our full editorial: Salesloft Drift token theft exposes wider NHI governance gaps