Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Salesloft OAuth token breach: are your NHI controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: The Salesloft incident showed that an OAuth token compromise can cascade into Salesforce data exfiltration across hundreds of connected instances, according to Andromeda Security. Static access assumptions fail when a stolen non-human credential can be used from a new client IP with a behavior pattern that never matches its normal baseline.

NHIMG editorial — based on content published by Andromeda Security covering the Salesloft supply chain breach: Proactive Identity Defense: Preventing a Supply Chain Breach

Questions worth separating out

Q: What breaks when a stolen OAuth token is used against a trusted integration?

A: The trust model breaks because the system still sees a valid credential, even though the actor behind it is no longer trustworthy.

Q: Why do service account and token compromises create such broad exposure in cloud and SaaS environments?

A: They create broad exposure because one credential often represents access to many downstream objects, APIs, or tenants.

Q: How do security teams know whether NHI behavioural monitoring is actually working?

A: It is working only if it can distinguish normal machine access from anomalous use without overwhelming operators with noise.

Practitioner guidance

  • Inventory all connected app tokens as owned NHIs Map each OAuth token, API key, and service credential to a human owner, business purpose, and explicit revocation path so integrations do not become anonymous trust channels.
  • Baseline normal NHI behavior by source and API mix Track client IPs, request frequency, and endpoint usage per identity so a new source or a sudden shift in call patterns can be detected as identity drift.
  • Tie anomaly detection to immediate containment Automate privilege shutdown and token revocation when a delegated credential shows bulk extraction behavior, because manual review happens too late once replay begins.

What's in the full article

Andromeda Security's full research covers the operational detail this post intentionally leaves for the source:

  • The article shows how Andromeda baselines client IPs and API usage patterns for each NHI.
  • It explains the automated response sequence used after detecting a new client IP and abnormal behaviour.
  • It describes how zeroing out permissions and revoking the token are combined to stop further misuse.
  • It frames the Salesloft incident as a practical example of identity-based supply chain defence.

👉 Read Andromeda Security's analysis of the Salesloft supply chain breach and NHI exposure →

Salesloft OAuth token breach: are your NHI controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Connected app tokens are not secondary assets, they are production identities. The Salesloft case shows that a delegated OAuth token can become the real control plane for downstream access, even when the primary platform is not breached. That makes token governance an identity discipline, not an application housekeeping task. Practitioners should treat every integration token as an owned NHI with explicit lifecycle accountability.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why compromised delegated access is often discovered too late to prevent downstream abuse.

A question worth separating out:

Q: Who should be accountable when a third-party connected app token is compromised?

A: Accountability should sit with the team that owns the integration, not only with the platform where the token was used. That team needs to know the scope of access, the revocation process, and the monitoring thresholds, because delegated trust is still an owned identity problem.

👉 Read our full editorial: Salesloft token compromise shows the limits of static NHI controls



   
ReplyQuote
Share: