Drift OAuth breach: what NHI teams need to change now

TL;DR: A compromised OAuth path in the Drift integration let attackers access Salesforce data and pull additional secrets from more than 700 organisations, showing how hidden non-human identities can turn a vendor compromise into a broad credential-exposure event, according to Apono. Standing access, not just token theft, is the real governance failure here.

NHIMG editorial — based on content published by Apono: Beyond the Drift Breach: Securing Non-Human Identities with Zero Standing Privileges

By the numbers:

• This breach affected over 700 organizations and extended beyond Salesforce to integrations with Google Workspace, Slack, AWS, and Microsoft Azure.

Questions worth separating out

Q: What breaks when OAuth tokens are treated as permanent access?

A: Permanent OAuth access turns a delegated token into standing privilege, which means a compromise can be reused until someone revokes it.

Q: Why do non-human identities increase blast radius after a vendor breach?

A: Non-human identities often carry broad scopes, hidden dependencies, and weak lifecycle oversight.

Q: What do security teams get wrong about OAuth scope review?

A: Many teams review scope at onboarding but do not revisit it as integrations change, vendors expand, or workflows drift.

Practitioner guidance

• Inventory every delegated token and integration principal Map each OAuth token, service account, and API key to an owner, purpose, scope, and revocation method.
• Revoke stale access before you rotate around it Disable dormant tokens, remove unused integrations, and revoke credentials that are no longer needed in active workflows.
• Enforce least privilege on every SaaS scope Review OAuth scopes, app permissions, and downstream connector rights so a single principal cannot reach unrelated systems such as email, file storage, and cloud control planes.

What's in the full article

Apono's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step remediation guidance for auditing and revoking stale OAuth tokens across connected apps.
• A practical breakdown of quarantine, rightsizing, and delete actions for risky principals.
• Implementation details for Access Flow guardrails and JSON deny policies in active environments.
• Apono's view of how zero standing privileges can be applied without breaking active workflows.

👉 Read Apono's analysis of the Drift OAuth breach and NHI exposure →

Drift OAuth breach: what NHI teams need to change now?

Explore further

View Full Forum →  |  NHI Foundation Course →