When a Salesforce-connected app is compromised, the token becomes a trusted identity that can query data, export records, and search for embedded secrets without bypassing MFA. The failure is not the login flow, but the assumption that approved integrations are low-risk. Teams should treat each token as a governed NHI with explicit scope, ownership, and revocation controls.
Why This Matters for Security Teams
An OAuth-connected Salesforce app is not just an integration pattern. It becomes a non-human identity with delegated trust, and once that app is compromised, the attacker inherits the token’s scope and the business access attached to it. That means data can be queried, exported, and weaponised without a fresh login prompt or MFA challenge. The security failure is usually not in Salesforce itself, but in treating approved integrations as low-risk by default.
This is where many teams underestimate the blast radius. The State of Non-Human Identity Security report found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which makes compromised tokens difficult to inventory, scope, and revoke quickly. In practice, the problem is amplified when tokens are long-lived, over-scoped, or reused across environments. A token that was meant to support a workflow can become a durable access path into customer records, files, and embedded secrets.
Current guidance suggests treating every OAuth grant as governed identity, not convenience glue. The real risk appears when an integration is assumed to be trusted simply because it was approved once, and attackers later reuse that trust to move quietly through Salesforce data and connected systems. In practice, many security teams encounter the breach only after abnormal exports or downstream account abuse has already occurred, rather than through intentional integration governance.
How It Works in Practice
When a Salesforce-connected app is compromised, the attacker usually does not need to break MFA or steal a user password. Instead, they abuse the app’s bearer token, refresh token, or connected app credentials to act inside the granted scope. The practical question is what the token can reach: reports, objects, attachments, API endpoints, and any downstream service that trusts the same integration. If that app is also used for automation, the attacker may be able to chain actions, enumerate records, and search for secrets embedded in tickets, comments, or file fields.
The defensive model needs to shift from static approval to runtime control. Useful controls include:
- Least-privilege OAuth scopes and connected-app permissions
- Short-lived tokens with explicit revocation paths
- Ownership for each integration, with business and technical approvers
- Logging for token use, unusual API volume, and data export patterns
- Periodic review of scopes, refresh token policies, and unused grants
This is aligned with the NHI lifecycle guidance in the Ultimate Guide to NHIs — Why NHI Security Matters Now, which treats service identities as assets that must be governed from creation through offboarding. It also matches the operational direction of the Anthropic report on AI-orchestrated cyber espionage, where abuse at scale depends on trusted automation and tokenised access rather than interactive compromise.
These controls tend to break down when integrations share broad admin scopes across multiple sandboxes and production orgs, because revocation, attribution, and blast-radius analysis become too slow to keep pace with attacker activity.
Common Variations and Edge Cases
Tighter OAuth governance often increases operational overhead, requiring organisations to balance faster automation against stronger review, monitoring, and revocation discipline. That tradeoff matters most in Salesforce ecosystems with many marketplace apps, custom middleware, and legacy service accounts that were never designed for strict identity ownership.
There is no universal standard for every app pattern yet, but current guidance suggests a few edge cases need special handling. First, refresh tokens can outlive the original user session, so a user’s password reset does not necessarily remove the threat. Second, app-to-app integrations may bypass user-centric controls entirely, which means PAM or MFA alone will not stop misuse once the token is valid. Third, multi-tenant apps can create shared failure domains where a compromise in one integration exposes many customer environments.
Teams should also watch for hidden coupling. A token used for Salesforce reporting may also connect to downstream storage, marketing tools, or ticketing systems, creating an attack path that expands beyond CRM data. The 52 NHI Breaches Analysis shows how often these incidents depend on durable machine trust rather than sophisticated exploitation. The practical response is to classify each OAuth app by business criticality, token longevity, and downstream reach, then revoke or reissue credentials when the app is no longer essential.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | OAuth tokens are NHI credentials that need rotation and revocation discipline. |
| OWASP Agentic AI Top 10 | A2 | Compromised integrations behave like autonomous workloads with delegated access. |
| NIST AI RMF | GOVERN | OAuth-connected apps need accountable governance for trusted automated access. |
Inventory each Salesforce app token, set TTLs, and revoke grants on app compromise or inactivity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
