The 2025 Wake-Up Call

In August 2025, attackers abused OAuth tokens tied to Salesloft and Drift integrations to reach customer Salesforce accounts. What followed was a chain reaction that affected more than 700 organizations and forced well-known companies to rush into emergency token revocations. This incident showed how a single integration, once trusted, can open a quiet pathway into customer environments because OAuth traffic often looks like normal app activity.

The event pushed boards and risk leaders to acknowledge something many teams had been avoiding. OAuth token misuse is not a niche problem. It is a critical-access problem that lives outside passwords and MFA, and it requires the same priority as cloud account access.

How the Breach Happened: Anatomy of an OAuth Supply-Chain Attack

Attackers secured valid OAuth access and refresh tokens that belonged to a third-party application. With those tokens they began calling Salesforce APIs without needing a username, a password or any MFA challenge. The integration allowed them to move around as if they were the app itself.

Once inside, they ran queries that looked like authorized integration traffic. They scanned for stored credentials inside records, including cloud keys and data warehouse tokens. By exporting this information, they expanded their reach into other systems. They did not need to break into accounts. The tokens acted like universal passes that stayed valid until someone revoked them.

Why Traditional Vendor Risk Assessments Failed

• Annual questionnaires and point in time audits did not reveal which integrations held broad or admin level access.
  
  
• Firms running around 106 SaaS apps on average could not manually review every permission.
  
  
• Contracts rarely required live evidence of token posture or fast token revocation support.
  
  

These gaps meant teams had paperwork that looked complete, but they lacked real visibility into the permissions that mattered most.

The Domino Effect: How One Compromised Integration Took Down Hundreds of Organizations

A single supplier integration with wide access created a multi company exposure. Attackers reached many Salesforce instances and found secrets such as AWS and Snowflake credentials that customers had stored inside records. That discovery allowed them to move into additional cloud systems and forced widespread rotations of keys.

This showed how easily risk spreads across layers of connected services. When an integration touches customer data, support cases, messaging tools or data pipelines, a compromise in one place can create trouble in several others. Recovery becomes slow and expensive, and many teams end up locked in long incident cycles.

Regulatory Pressure: DORA, EBA, and the New Third-Party Risk Landscape

• EBA’s updated guidance focuses on stronger oversight of third-party services, including proof of control and documented concentration risk.
  
  
• DORA sets expectations for European firms to show clear knowledge of their ICT suppliers and the ways they can affect operations.
  
  
• Supervisors now expect firms to prove they can detect and revoke dangerous tokens quickly.
  

The message is straightforward. Regulators want operational evidence that firms know which integrations are critical, how they behave, and how quickly they can be shut down when something goes wrong.

Hidden Dependencies: Mapping Your SaaS Integration Ecosystem

Most companies do not have a complete picture of all the apps connected to their environment. There are sanctioned apps from procurement, user-granted OAuth apps that appear through self-service, and shadow apps that appear in logs without approval. Understanding these layers is the only way to manage real exposure.

Start by building a list of known integrations. Add entries for every app that users have granted access to, especially those with broad data permissions. Then look for unknown or unapproved apps in sign-in and activity logs. For each app, check which data it can see, which API calls it can make, and whether it links to cloud keys or warehouse tokens.

This work reveals the hidden paths attackers might follow. When teams see those paths clearly, they can tighten scopes, remove unused apps, rotate old tokens, and explain the risk in simple terms to leadership.

Modern Vendor Risk Frameworks: Real-Time Monitoring, OAuth Governance, and Unified Risk Registers

Tools that watch SaaS settings and OAuth permissions offer a more practical way to stay ahead of risk. They alert teams to sudden permission changes, exposed tokens or misconfigurations, and they feed this information into a single third-party risk register.

• Continuous posture monitoring helps teams catch risky OAuth scopes early.
  
  
• Integration permissions become auditable items, not hidden technical details.
  
  
• Vendors are asked to provide clear posture evidence and support token revocation when needed.
  
  

This creates a more accurate picture of vendor importance and makes board-level reporting easier to maintain.

Action Plan: Building Your SaaS Supply Chain Defense

Start with an emergency review of all active OAuth apps and revoke high-risk tokens, especially those with large scopes or access to critical systems. Rank your top integrations based on the data they can reach and how much damage they could cause if a token were abused.

Over the next three months, deploy continuous monitoring for SaaS posture and reduce token lifetime for service accounts. Feed all permission changes into your third-party risk register so scores update as soon as an app gains new access.

Next, run a tabletop exercise to test how quickly your team can respond to token misuse. Update contracts and procurement templates so that critical suppliers must provide posture evidence and support fast token revocation. These steps give teams better control over their integration surface and improve readiness for both incidents and regulatory reviews.

Optional Case Study: Salesloft and Drift into Salesforce

In this incident, attackers used OAuth tokens tied to a chat and sales integration to query Salesforce records and find embedded secrets. Vendors and customers then had to coordinate revocation and rotation activity across many environments. The case made it clear that integration privilege should be viewed with the same seriousness as administrative cloud access.

From Crisis to Proactive Defense

OAuth token misuse is now a central part of supply chain attacks. It moves quietly between SaaS systems and cloud platforms and gives attackers a simple way to avoid traditional security checks. Boards are focusing on three straightforward indicators: how many integrations have powerful scopes, how fast tokens can be revoked and, how many critical apps are under active monitoring.

If your organization wants a focused review of its integration exposure, reach out through the iRM contact us page for a guided assessment and clear next steps tailored to your environment.