Salesloft OAuth Compromise: Lessons Learned and Next Steps for Security

Read full article here:  https://www.oasis.security/blog/the-salesloft-oauth-compromise-what-it-changed-and-what-to-do-next/?utm_source=nhimg

In August 2025, attackers from UNC6395 exploited stolen OAuth tokens from Salesloft’s Drift integration, gaining unauthorized access to Salesforce and later Google Workspace environments. This breach wasn’t a platform vulnerability, it was a non-human identity (NHI) security failure. The incident underscores how tokens, connected apps, and service accounts have become high-value attack vectors that often bypass human-centric defenses like MFA.

Why This Attack Was Different

• Credential Harvest Loop – Exfiltration wasn’t the end goal; attackers mined CRM data to extract secrets (AWS keys, Snowflake tokens) and pivot deeper into cloud infrastructure.
• Bypassing Human Controls – OAuth tokens authenticate as apps, meaning no MFA prompts or user-facing alerts.
• Multi-SaaS Blast Radius – One compromised Drift grant enabled repeatable access across Salesforce, Google Workspace, Slack, and Pardot. Revoking tokens in one plane didn’t kill access in others.
• Governance Debt Exposed – The campaign revealed how stale scopes, ownerless connected apps, and unrotated tokens expand risk silently.

The Real Risks Beyond Drift

Salesforce had become a de facto credential repository, with sensitive keys and tokens embedded in records—never designed to be a secrets vault. Attackers leveraged this sprawl to escalate beyond CRM data into cloud and SaaS platforms.

The broader lesson: this was not about one vendor, but about the structural weaknesses in non-human identity governance. Without ownership, rotation policies, and continuous monitoring, token abuse becomes inevitable.

What Security Teams Should Do Now

1. Revoke & Rotate – Immediately rotate Salesforce API keys, OAuth tokens, and secrets potentially stored in records.
2. Audit Connected Apps – Review Salesforce Event Monitoring logs, OAuth usage, and integration scopes. Remove unused apps and enforce least privilege.
3. Assign Ownership – Every service account, integration, and token must have an accountable owner with attestation processes in place.
4. Enforce Change-Safe Rotation – Automate token and secret rotation with rollback protections to avoid outages during incidents.
5. Shift Left on Provisioning – Create new integrations with scoped permissions, federation where possible, and policies baked in from day one.

The Bigger Picture

The Salesloft compromise was a warning shot: non-human identities are now the weakest link in enterprise security. Attackers no longer need to phish humans—they weaponize OAuth tokens, exploit app-to-app trust, and persist invisibly.

Organizations must adopt identity-first governance for NHIs, treating OAuth tokens, app grants, and service accounts with the same rigor as privileged human accounts. Without it, the next Drift-style compromise is only a matter of time.