When OAuth Tokens Go Rogue: Lessons from the Salesloft–Drift Breach

In August 2025, attackers exploited the Salesloft-Drift OAuth integration to compromise over 700 organizations’ Salesforce instances. This wasn’t a direct vulnerability in Salesforce, but rather an ecosystem failure highlighting how SaaS supply chains, OAuth tokens, and identity gaps have become today’s most critical enterprise security risks. This document examines what happened, why traditional security measures failed, and what organizations can do to protect themselves from similar attacks. 

The Anatomy of the Attack 

  1. Initial Compromise – Attackers stole OAuth and refresh tokens associated with the Salesloft-Drift integration, bypassing MFA completely. 
  2. Data Exfiltration – Using stolen tokens, attackers executed SOQL queries in Salesforce to extract sensitive data including AWS access keys, Snowflake tokens, and user passwords. 
  3. Covering Tracks – Query jobs were deleted after exfiltration to minimize detection chances. 
  4. Extended Impact – Drift Email integration tokens were also compromised, granting limited access to Google Workspace accounts across organizations. 

Why this Attack Succeeded  

  • OAuth Token Power – OAuth tokens bypass MFA and have longer lifespans than standard sessions, making them high-value targets. 
  • Over-permissioned Apps – Drift integrations often received excessive API permissions without proper security review. 
  • Poor Visibility – Most enterprises lack monitoring capabilities for SaaS integrations and token misuse patterns. 
  • Supply Chain Blast Radius – A single vendor compromise affected hundreds of downstream customers simultaneously. 

This incident serves as a blueprint for modern SaaS attacks, where adversaries target OAuth tokens, integrations, and overlooked identity gaps.

Why Traditional Security Failed 

The Missing Link 

Most security tools today miss two key things: they don’t give a full picture of SaaS security, and they can’t spot when identities are used wrongly in real-time. This allowed attackers to stay hidden for a long time. 

Older security tools simply weren’t built for the new ways businesses use SaaS apps. These apps connect in complex ways through integrations, APIs, and OAuth tokens, creating a network of trust that goes far beyond a company’s own network. 

Current Security Gaps 

  • SIEM/XDR – These tools react after an event, create too many alerts, and aren’t made for SaaS. They can’t properly understand and detect suspicious activity from SaaS integrations. 
  • IAM – IAM handles who logs in but offers little insight into how SaaS apps use APIs or manage their tokens. 
  • CASB – CASB focuses mainly on network traffic, not on how apps integrate. It fails to detect when OAuth tokens are misused between linked services. 

Closing the Gaps: Immediate Actions and Long-Term Strategy 

Urgent Action Required: If your organization uses Salesforce with Drift or Salesloft integrations, immediate token rotation and permission reviews should be conducted as a priority. 

  • SSPM (SaaS Security Posture Management): Continuously monitors SaaS apps and integrations to reduce risk before exploitation by flagging risky OAuth permissions, detecting dormant accounts with elevated privileges, and mapping configurations against security frameworks. 
  • ITDR (Identity Threat Detection & Response): Detects and responds to identity threats in real-time by identifying suspicious token usage patterns, flagging unusual API activities, and automatically triggering revocation and session termination when needed. 

6 Critical Actions for Enterprises 

  1. Audit & rotate OAuth tokens: focus on Drift/Salesloft integrations first; implement regular rotation schedules 
  2. Review integration scopes: enforce least privilege for all SaaS-to-SaaS connections 
  3. Monitor dormant accounts: identify and remediate unused accounts with elevated privileges 
  4. Adopt SSPM: implement continuous posture management across all SaaS applications 
  5. Deploy ITDR: establish detection capabilities for abnormal identity behaviors 
  6. Correlate SaaS signals: connect SaaS telemetry with existing SIEM/XDR/SOAR for comprehensive visibility and response 

Conclusion 

The Salesloft-Drift breach represents a fundamental shift in the SaaS threat landscape. Perimeter defenses are no longer sufficient in an environment where OAuth tokens, third-party integrations, and identity have become primary attack vectors. 

Organizations must embrace SSPM and ITDR as core pillars of their SaaS security strategy. By combining continuous posture management with identity-centric threat detection, enterprises can significantly reduce their exposure to this new class of supply chain attacks. 

In today’s interconnected SaaS ecosystem, the question isn’t if attackers will target your organization’s OAuth tokens and integrations—it’s when.