OAuth Gone Rogue: Lessons from the Drift–Salesforce Breach

In August 2025, a sophisticated supply chain attack exploited OAuth tokens from Drift, a chatbot integrated with Salesforce via Salesloft. Over 700 organizations were affected. Unlike traditional breaches, attackers did not compromise Salesforce directly. Instead, they abused legitimate OAuth tokens, gaining access to sensitive customer data and embedded credentials for cloud platforms such as AWS and Snowflake.

This breach illustrates a new reality: OAuth tokens, once considered a convenience for integrations, are now high-value attack targets. The incident exposes systemic weaknesses in the management of third-party applications, non-human identities, and API access. Understanding the breach provides critical lessons for securing modern cloud environments.

What Is an OAuth Token?

OAuth, or Open Authorization, is a protocol that allows applications to access user accounts without requiring passwords. Users grant applications specific permissions through secure tokens.

Think of an OAuth token as a temporary access pass. It allows an application to perform specific actions, such as reading contacts or sending emails, without requiring the user’s credentials directly. OAuth tokens simplify integrations, improve automation, and reduce friction for users. However, their invisibility and direct access to data make them highly attractive to attackers. Once compromised, tokens allow persistent access to sensitive resources, often bypassing conventional security alerts.

How the Drift–Salesforce Breach Unfolded

The attackers, identified as UNC6395, first gained access to Salesloft’s GitHub repository. Using scanning tools, they discovered OAuth tokens hardcoded in Drift’s configuration. These tokens bypassed login credentials and multi-factor authentication, granting direct access to Salesforce APIs.

Once inside, the attackers automated the extraction of Salesforce data, including support cases, contacts, accounts, and opportunities. They also harvested embedded secrets such as AWS access keys, Snowflake tokens, VPN credentials, and service account passwords.

To remain undetected, the attackers deleted query logs, routed traffic through Tor and cloud proxies, and manipulated user-agent strings to mimic legitimate Drift activity. Their operations were both stealthy and highly efficient.

Attack Techniques

The breach leveraged a combination of modern cloud-focused techniques, adapted from traditional cyberattack methods. Each technique demonstrates how attackers are evolving to exploit non-human identities, API access, and trusted integrations.

· T1078.004 – Valid Accounts: Cloud Accounts

Stolen OAuth tokens were used to impersonate legitimate users. By acting as authorized accounts, attackers bypassed password protections and multi-factor authentication. This method made it extremely difficult for conventional security monitoring systems to detect anomalies, allowing attackers to exfiltrate sensitive data at scale

· T1566 – Phishing

Consent phishing was likely used to trick users into authorizing malicious applications. Unlike traditional phishing, this attack targeted trust in SaaS integrations rather than software vulnerabilities. By convincing users to grant access, attackers obtained legitimate tokens that could be misused repeatedly without raising immediate alarms.

· T1020 – Automated Exfiltration

Automation played a central role in the breach. Python scripts were employed to extract data via SOQL queries in bulk. These scripts operated silently and blended into normal traffic, enabling the attackers to harvest large volumes of information rapidly. Automation allowed them to scale the attack efficiently and evade detection.

· T1036 – Masquerading

To avoid detection, attackers used masquerading techniques. Custom user-agent strings were configured to mimic legitimate Drift traffic, while data exfiltration occurred over standard HTTPS protocols. This combination of disguise and protocol selection made it difficult for security teams to distinguish malicious activity from normal system operations.

· T1556.001 – Modify Authentication Process: OAuth Tokens

The attackers created or reused OAuth tokens to maintain persistent access. By modifying the authentication process, they extended control over compromised accounts, enabling lateral movement across systems and sustained data extraction. This demonstrates the critical importance of token lifecycle management in cloud security.

· T1110.003 – Credential Dumping: Credentials in Files

Finally, attackers extracted secrets embedded in files and support case records. This form of credential dumping allowed further compromise of cloud resources, including AWS and Snowflake. Sensitive information does not need to reside in a credentials vault to be exploited; any file or record containing secrets becomes a potential attack vector.

Why OAuth Tokens Are a High-Value Target

OAuth tokens bypass many traditional security controls, including multi-factor authentication and login monitoring. They provide direct API access to sensitive data and often remain invisible to endpoint detection and SIEM tools. Tokens can be reused across platforms, enabling lateral movement and escalation. Common vulnerabilities such as misconfigured scopes, redirect URI manipulation, token leakage, and authorization sprawl further amplify risk.

In modern cloud ecosystems, a compromised token acts as a master key. Attackers can access multiple systems, extract sensitive data, and operate undetected, making OAuth security a central concern for enterprises.

Lessons Learned: Securing OAuth and Modern Integrations

The Drift–Salesforce breach underscores that OAuth governance is no longer a technical detail but a strategic priority. Organizations must take a holistic approach to secure tokens, non-human identities, and API access.

1. Treat Tokens as Critical Credentials

OAuth tokens should be managed with the same rigor as passwords, API keys, or SSH certificates. This includes implementing regular rotation, restricting permissions to the minimum required, and revoking tokens immediately when they are no longer needed. Overprivileged or stale tokens are high-risk and can amplify the impact of a breach.

2. Comprehensive OAuth Inventory and Governance

Maintaining a complete inventory of all OAuth integrations is essential. This includes internal tools, third-party applications, and automation platforms. Organizations should track what data each application accesses, the token lifespan, and whether least privilege principles are enforced. Regular audits help identify risky integrations and prevent unauthorized access.

3. Monitoring API Activity and Behavioral Anomalies

Traditional security tools often overlook attacks through APIs or OAuth tokens. Organizations should monitor query volumes, unusual access patterns, and abnormal user-agent strings. Behavioral analytics can establish baselines of normal activity, helping detect anomalies indicative of token misuse or compromise.

4. Strengthening Governance for Non-Human Identities

Service accounts, automation scripts, and applications represent high-value targets. Identity governance must include these non-human accounts. Conditional access policies, role-based access controls, and behavioral monitoring can prevent unauthorized activity and reduce exposure.

5. Protecting Sensitive Data in Support Systems

Support tickets, CRM records, and other operational systems can inadvertently contain secrets. Organizations must implement data classification, sanitization, and access controls to ensure sensitive information is not exposed to attackers. Even seemingly benign records can be leveraged for credential harvesting if left unprotected.

6. Zero Trust Across Integrations

The breach illustrates the dangers of assuming trust between platforms. Organizations must enforce zero trust principles, validating every API call and token use. Segmentation, least privilege, and continuous monitoring reduce the risk of lateral movement and limit the blast radius of compromised tokens.

7. Education and Training

Human error remains a significant factor in OAuth compromise. Employees and developers must be trained to recognize consent phishing, avoid hardcoding tokens in repositories, and follow secure coding practices. Simulated incident response drills can prepare teams to respond effectively to token misuse.

8. Board-Level Visibility and Strategic Oversight

OAuth governance must extend beyond technical teams. Organizations should include token management, lifecycle policies, and integration audits in risk discussions at the board level. Strategic oversight ensures that security priorities align with enterprise risk management and regulatory compliance.

9. Preparing for Supply Chain and SaaS Risks

The breach demonstrates the impact of supply chain-style attacks in SaaS ecosystems. Organizations must evaluate the trustworthiness of third-party platforms and integrations continually. Continuous risk assessment, integration review, and proactive monitoring are essential to prevent similar incidents.

Federal and Industry Guidance on OAuth Security

Several standards outline best practices for securing OAuth implementations.

• IETF RFC 9700 recommends deprecating insecure flows like Implicit Grant, using Proof Key for Code Exchange to prevent token interception, enforcing token rotation, and restricting scopes.
• OWASP OAuth2 Cheat Sheet emphasizes short-lived tokens, refresh token rotation, CSRF protections, and audience restriction to limit token usage to specific resource servers.
• NIST SP 800-63B stresses strong authentication for all identities, including non-human accounts, alongside strict lifecycle management and session revocation.

Organizations adhering to these guidelines reduce the likelihood of OAuth-based breaches while ensuring compliance with industry and regulatory expectations.