NHI Forum
Read full article here: https://www.oasis.security/blog/the-salesloft-oauth-compromise-what-it-changed-and-what-to-do-next/?utm_source=nhimg
In August 2025, attackers from UNC6395 exploited stolen OAuth tokens from Salesloft’s Drift integration, gaining unauthorized access to Salesforce and later Google Workspace environments. This breach wasn’t a platform vulnerability, it was a non-human identity (NHI) security failure. The incident underscores how tokens, connected apps, and service accounts have become high-value attack vectors that often bypass human-centric defenses like MFA.
Why This Attack Was Different
- Credential Harvest Loop – Exfiltration wasn’t the end goal; attackers mined CRM data to extract secrets (AWS keys, Snowflake tokens) and pivot deeper into cloud infrastructure.
- Bypassing Human Controls – OAuth tokens authenticate as apps, meaning no MFA prompts or user-facing alerts.
- Multi-SaaS Blast Radius – One compromised Drift grant enabled repeatable access across Salesforce, Google Workspace, Slack, and Pardot. Revoking tokens in one plane didn’t kill access in others.
- Governance Debt Exposed – The campaign revealed how stale scopes, ownerless connected apps, and unrotated tokens expand risk silently.
The Real Risks Beyond Drift
Salesforce had become a de facto credential repository, with sensitive keys and tokens embedded in records—never designed to be a secrets vault. Attackers leveraged this sprawl to escalate beyond CRM data into cloud and SaaS platforms.
The broader lesson: this was not about one vendor, but about the structural weaknesses in non-human identity governance. Without ownership, rotation policies, and continuous monitoring, token abuse becomes inevitable.
What Security Teams Should Do Now
- Revoke & Rotate – Immediately rotate Salesforce API keys, OAuth tokens, and secrets potentially stored in records.
- Audit Connected Apps – Review Salesforce Event Monitoring logs, OAuth usage, and integration scopes. Remove unused apps and enforce least privilege.
- Assign Ownership – Every service account, integration, and token must have an accountable owner with attestation processes in place.
- Enforce Change-Safe Rotation – Automate token and secret rotation with rollback protections to avoid outages during incidents.
- Shift Left on Provisioning – Create new integrations with scoped permissions, federation where possible, and policies baked in from day one.
The Bigger Picture
The Salesloft compromise was a warning shot: non-human identities are now the weakest link in enterprise security. Attackers no longer need to phish humans—they weaponize OAuth tokens, exploit app-to-app trust, and persist invisibly.
Organizations must adopt identity-first governance for NHIs, treating OAuth tokens, app grants, and service accounts with the same rigor as privileged human accounts. Without it, the next Drift-style compromise is only a matter of time.