Keys to the Kingdom: How Poor Access Controls Enable Silent Breaches

Read full article from Hush Security here: https://www.hush.security/blog/why-storm-the-castle-when-you-already-hold-the-keys-to-the-kingdom/?utm_source=nhimg

The Salesloft and Gainsight breaches exposed a critical shift in 2025: attackers no longer break down enterprise defenses — they simply hijack the trusted Non-Human Identities (NHIs) that already hold privileged access. In both incidents, attackers compromised OAuth and refresh tokens tied to third-party integrations, granting them legitimate entry into Salesforce environments without exploiting any vulnerabilities or bypassing MFA. Once inside, they harvested cloud keys, Snowflake tokens, internal metadata, and downstream secrets, demonstrating how integration tokens function as high-privilege entry points in multi-system ecosystems.

This emerging attack pattern is clear: compromise one integration, inherit its scopes, pivot through connected apps, and escalate into cloud infrastructure. It’s the modern supply-chain breach — low friction, high impact, and powered by unmonitored NHIs. Security teams must now treat vendor integrations like first-class identities by inventorying all third-party connections, tightening scopes, rotating tokens more aggressively, and implementing NHI-focused incident response processes that trace downstream exposure.

The lesson is simple: attackers no longer storm the castle. They walk through the door as a trusted integration already holding the keys. Enterprises that prioritize NHI governance and integration-level security will be the ones that stay ahead.