Salesloft OAuth compromise: what it means for NHI governance

TL;DR: A July 2025 campaign abused stolen OAuth tokens from Salesloft Drift integrations to access Salesforce and Google Workspace, then mine data for follow-on secrets, according to Oasis Security. The incident shows why token ownership, lifecycle control, and app-level monitoring matter more than user-centric controls when NHIs become the entry point.

NHIMG editorial — based on content published by Oasis Security covering the Salesloft OAuth compromise: The Salesloft OAuth compromise: what it changed, and what to do next

By the numbers:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps - 38% have no or low visibility, and a further 47% have only partial visibility.

Questions worth separating out

Q: What breaks when a connected app token is stolen?

A: When a connected app token is stolen, the attacker authenticates as the app rather than as a person, so MFA and user login checks often never trigger.

Q: Why do OAuth-connected NHIs create hidden blast radius?

A: OAuth-connected NHIs can reach multiple platforms through a single delegated trust relationship, so one compromised grant can expose data, secrets, and adjacent services.

Q: How can security teams tell if token governance is failing?

A: Token governance is failing when grants remain active without clear owners, scopes no longer match business need, and revocation requires manual hunting across platforms.

Practitioner guidance

• Map every connected app to a named owner Build an authoritative inventory of Salesforce, Google Workspace, and similar integrations, then require a named human owner for each token, grant, and service identity.
• Search for secrets inside business data Scan exports, files, messages, and records for API keys, refresh tokens, private key headers, and cloud credential markers.
• Tie revocation to dependency maps Document which downstream apps, tenants, and service accounts rely on each connected grant so you can remove related access paths together.

What's in the full analysis

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step incident response actions for Salesforce and Google Workspace access paths.
• Specific log sources and query windows for tracing connected-app abuse across the campaign.
• Secret discovery examples for identifying embedded credentials in Salesforce exports and files.
• Rotation and rollback guardrails for safely reissuing affected integration credentials.

👉 Read Oasis Security's analysis of the Salesloft OAuth compromise and NHI exposure →

Salesloft OAuth compromise: what it means for NHI governance?

Explore further

View Full Forum →  |  NHI Foundation Course →