The Drift OAuth Breach: How Salesforce Became a De Facto Credential Repository

Read full article here: https://aembit.io/blog/when-salesforce-becomes-a-de-facto-credential-repository-lessons-from-the-drift-oauth-breach/?utm_source=nhimg

The recent Salesforce Drift OAuth breach underscores a deeper identity security challenge: SaaS platforms are becoming unintended credential repositories. While Salesforce itself was not compromised, attackers exploited weak OAuth token management through Drift to impersonate trusted integrations, exfiltrate CRM data, and harvest embedded credentials.

This incident reveals two structural failures:

1. OAuth token sprawl - long-lived tokens granted broad access without sufficient visibility or lifecycle management.
2. Secrets sprawl inside Salesforce - critical credentials like AWS keys and Snowflake tokens stored in CRM records, turning Salesforce into a high-value target.

Key Risks Identified

• Beyond CRM Data Theft - Once attackers uncovered embedded cloud credentials, they expanded attacks into AWS, Snowflake, and connected SaaS ecosystems.
• Token Abuse Across Platforms - Google’s Threat Intelligence Group and Mandiant confirmed attackers also exploited Drift Email OAuth tokens tied to Google Workspace, highlighting multi-cloud exposure.
• Structural Blind Spots - Security teams often lack visibility into how many non-human identities (tokens, service accounts, integrations) exist and how they’re being used.

Immediate Actions for Security Teams

• Rotate secrets stored in Salesforce (API keys, tokens, service passwords) and assume potential exposure.
• Audit Salesforce Event Monitoring logs for anomalous queries tied to Drift or connected apps.
• Tighten connected app permissions with least-privilege policies and enforce IP restrictions.
• Maintain a non-human identity inventory to track OAuth tokens, service accounts, and their trust relationships.

Strategic Lessons

The bigger lesson is that managing secrets more aggressively isn’t enough. Long-lived tokens and hidden credentials in SaaS environments demand a policy-based, identity-aware proxy for SaaS-to-SaaS integrations. Without real-time visibility and scoped access enforcement, a single compromised token can cascade into a multi-cloud breach.

Bottom Line

The Salesforce Drift incident proves that enterprises must extend zero trust principles to non-human identities. By eliminating static secrets, enforcing just-in-time token exchanges, and unifying governance across SaaS and cloud integrations, organizations can prevent CRM systems from becoming silent credential vaults for attackers.