Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Salesloft Drift token theft: what NHI teams need to review


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: About 700 Salesloft Drift customers are confirmed to have had OAuth tokens or other access credentials stolen, while Google said a very small amount of Workspace tokens were taken and multiple cybersecurity firms reported downstream compromise, according to Swarmnetics. The incident shows how delegated access, support-ticket content, and integration sprawl can turn one exposed NHI path into broader identity risk.

NHIMG editorial — based on content published by Swarmnetics covering the Salesloft Drift OAuth token theft and downstream compromise

By the numbers:

Questions worth separating out

Q: What breaks when OAuth tokens are compromised in connected SaaS environments?

A: When OAuth tokens are compromised, attackers can inherit delegated access without defeating passwords or MFA.

Q: Why do OAuth-connected support tools create elevated NHI risk?

A: They concentrate operational secrets in places designed for troubleshooting, not identity governance.

Q: How do teams know whether OAuth token governance is actually working?

A: Look for short token lifetimes, tested revocation, no tokens in logs, and a clean mapping from each integration to an accountable owner.

Practitioner guidance

What's in the full analysis

Swarmnetics' full research covers the operational detail this post intentionally leaves for the source:

  • The article breaks down which organisations reported token theft versus broader internal compromise.
  • It outlines the suspected use of stolen OAuth tokens to search support tickets for secrets and access material.
  • It describes the reported impact differences across vendors such as Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, SpyCloud, Tanium, and Tenable.
  • It summarises the open questions around the attacker, the Breachstars ransom site, and the investigation timeline.

👉 Read Swarmnetics' analysis of the Salesloft Drift OAuth token theft →

Salesloft Drift token theft: what NHI teams need to review?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Stolen OAuth tokens create identity blast radius, not isolated application risk. Once a delegated credential is compromised, the attacker inherits whatever trust the integration already carried. That means the real exposure is often the downstream SaaS, support, and customer-data surface attached to the token, not the integration brand itself. Practitioners should read this as a governance problem in shared trust paths, not a single-vendor incident.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which makes delegated access hard to govern at scale.

A question worth separating out:

Q: Who is accountable when a third-party integration exposes corporate secrets?

A: Accountability is shared, but the enterprise owns the governance failure if it allowed the integration to persist without review. Frameworks such as the OWASP Non-Human Identity Top 10 and Zero Trust Architecture both point to the same expectation: access paths must be continuously verified, bounded, and removable.

👉 Read our full editorial: Salesloft Drift token theft exposes wider NHI governance gaps



   
ReplyQuote
Share: