TL;DR: OAuth tokens stolen through the Salesloft-Drift integration let UNC6395 access Salesforce data and linked environments, with more than 700 organisations worldwide affected and stolen records now feeding extortion attempts, according to Illumio and FBI reporting. The breach shows that delegated trust, not perimeter control, is the real blast-radius issue in connected identity estates.
NHIMG editorial — based on content published by Illumio: The Master Key Problem: Inside the Salesloft Breach and Ongoing Threat
By the numbers:
- The number of organizations hit by UNC6395 is more than 700 worldwide.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
Questions worth separating out
Q: What breaks when a stolen OAuth token is used against a trusted integration?
A: The trust model breaks because the system still sees a valid credential, even though the actor behind it is no longer trustworthy.
Q: Why do delegated tokens increase breach impact in cloud and SaaS environments?
A: Delegated tokens often carry broad scopes and long lifetimes, so one compromise can expose multiple environments before anyone notices.
Q: What do security teams get wrong about connected app governance?
A: Teams often treat connected apps as convenience features instead of identity-bearing systems.
Practitioner guidance
- Audit every connected app and integration Build a current inventory of all Salesforce-connected apps, third-party sync paths, and service-to-service tokens.
- Rotate and revoke tokens on a lifecycle schedule Set expiry, rotation, and revocation rules for OAuth tokens, API keys, and other secrets tied to business integrations.
- Constrain scopes to the smallest workable trust domain Limit each token to the minimum permissions needed for its task, then separate read, export, and administration scopes so one compromised credential cannot unlock broad data movement or downstream secret discovery.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step account of how the Salesloft-Drift trust path was compromised and how the tokens were used downstream.
- The specific indicators Illumio highlights for detecting abnormal API activity and token misuse across connected systems.
- The detailed containment ideas for shrinking blast radius after a trusted integration has already been abused.
- The vendor's explanation of how visibility tools help map system-to-system communication in real environments.
👉 Read Illumio's analysis of the Salesloft OAuth token breach and trust-path compromise →
Salesloft OAuth token theft: what it means for IAM teams?
Explore further
Delegated access is now a primary identity attack surface. OAuth tokens, connected apps, and integration scopes are no longer background plumbing. They are the credentials that let software act with authority, which means their compromise has the same governance seriousness as a stolen privileged account. The practitioner conclusion is simple: if a system can act on behalf of the business, it needs identity lifecycle controls that match that authority.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, which shows governance blind spots persist even where security teams think coverage exists.
A question worth separating out:
Q: Who is accountable when a SaaS integration token is stolen?
A: Accountability should be shared, but operational ownership must be explicit. The business owner, identity team, and vendor all have different responsibilities, yet someone inside the enterprise must own review, rotation, and revocation. Without a named owner, the credential becomes a governance orphan and attackers benefit from the gap.
👉 Read our full editorial: Salesloft OAuth token theft exposes the master key problem