Understanding Refresh Tokens: Secure Your Apps Against Attacks

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 5855

Topic starter 08/02/2026 8:29 pm

Executive Summary

Understanding refresh tokens is crucial for modern application security. The compromise of Salesloft in 2025 revealed vulnerabilities as attackers exploited long-lived refresh tokens to access Salesforce accounts of over 700 organizations. These tokens, which bypass traditional identity controls, raise significant concerns regarding user authentication and access management. Security teams must recognize these risks and implement strategies to manage refresh tokens effectively, ensuring robust protections against SaaS supply chain attacks.

👉 Read the full article from Obsidian Security here for comprehensive insights.

Main Highlights

The Salesloft Incident

Attackers compromised Salesloft using stored refresh tokens, exploiting a lack of security measures.
Tokens were authorized long ago by users who no longer worked with the organization.
The breach affected 700+ organizations, exposing critical flaws in identity security practices.

Understanding Refresh Tokens

Refresh tokens provide long-lived credentials, allowing continuous access without requiring re-authentication.
They do not trigger Multi-Factor Authentication (MFA), presenting risks if mismanaged.
Organizations must reevaluate how these tokens fit into the identity lifecycle to enhance security.

Risks and Security Recommendations

Refresh tokens often operate outside traditional security protocols, making them vulnerable to exploitation.
Implement controls to regularly audit token usage and revoke access related to former employees.
Adopt a security-first mindset to manage refresh tokens and mitigate unauthorized access risks.

Best Practices for Token Management

Establish clear policies for refresh token lifecycle management to limit exposure and risk.
Educate teams on the importance of security measures when using refresh tokens in applications.
Consider employing automated tools for monitoring and managing token security across platforms.

👉 Access the full expert analysis and actionable security insights from Obsidian Security here.

Quote

Topic Tags

Forum Statistics

9 Forums

7,101 Topics

12.5 K Posts

30 Online

135 Members

Latest Post: B2B content writing and SEO: what identity teams can learn Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies