The Ultimate Guide to Non-Human Identities Report
NHI Forum

Notifications
Clear all

Salesloft OAuth Compromise: Lessons Learned and Next Steps for Security


(@oasis-security)
Trusted Member
Joined: 2 months ago
Posts: 25
Topic starter  

Read full article here:  https://www.oasis.security/blog/the-salesloft-oauth-compromise-what-it-changed-and-what-to-do-next/?utm_source=nhimg

 

In August 2025, attackers from UNC6395 exploited stolen OAuth tokens from Salesloft’s Drift integration, gaining unauthorized access to Salesforce and later Google Workspace environments. This breach wasn’t a platform vulnerability, it was a non-human identity (NHI) security failure. The incident underscores how tokens, connected apps, and service accounts have become high-value attack vectors that often bypass human-centric defenses like MFA.

 

Why This Attack Was Different

  • Credential Harvest Loop – Exfiltration wasn’t the end goal; attackers mined CRM data to extract secrets (AWS keys, Snowflake tokens) and pivot deeper into cloud infrastructure.
  • Bypassing Human Controls – OAuth tokens authenticate as apps, meaning no MFA prompts or user-facing alerts.
  • Multi-SaaS Blast Radius – One compromised Drift grant enabled repeatable access across Salesforce, Google Workspace, Slack, and Pardot. Revoking tokens in one plane didn’t kill access in others.
  • Governance Debt Exposed – The campaign revealed how stale scopes, ownerless connected apps, and unrotated tokens expand risk silently.

 

The Real Risks Beyond Drift

Salesforce had become a de facto credential repository, with sensitive keys and tokens embedded in records—never designed to be a secrets vault. Attackers leveraged this sprawl to escalate beyond CRM data into cloud and SaaS platforms.

The broader lesson: this was not about one vendor, but about the structural weaknesses in non-human identity governance. Without ownership, rotation policies, and continuous monitoring, token abuse becomes inevitable.

 

 

What Security Teams Should Do Now

  1. Revoke & Rotate – Immediately rotate Salesforce API keys, OAuth tokens, and secrets potentially stored in records.
  2. Audit Connected Apps – Review Salesforce Event Monitoring logs, OAuth usage, and integration scopes. Remove unused apps and enforce least privilege.
  3. Assign Ownership – Every service account, integration, and token must have an accountable owner with attestation processes in place.
  4. Enforce Change-Safe Rotation – Automate token and secret rotation with rollback protections to avoid outages during incidents.
  5. Shift Left on Provisioning – Create new integrations with scoped permissions, federation where possible, and policies baked in from day one.

 

The Bigger Picture

The Salesloft compromise was a warning shot: non-human identities are now the weakest link in enterprise security. Attackers no longer need to phish humans—they weaponize OAuth tokens, exploit app-to-app trust, and persist invisibly.

Organizations must adopt identity-first governance for NHIs, treating OAuth tokens, app grants, and service accounts with the same rigor as privileged human accounts. Without it, the next Drift-style compromise is only a matter of time.

 



   
Quote
Share: