When trusted connections become attack vectors
August 2025 will be remembered as the month when OAuth tokens brought down organizations in a single supply chain attack. The Salesloft Drift incident demonstrated how quickly trusted integrations can become the keys to your digital kingdom, with threat actors systematically exfiltrating sensitive data across multiple platforms.
The bottom line: Organizations with comprehensive visibility into their connected app landscape could identify and remediate risks proactively. Those without this visibility discovered their exposure only after the breach.
The hidden risk in your connected app environment
The Salesloft incident succeeded because of a fundamental blind spot in modern SaaS security. As one security expert observed, "most organizations don't actually know every marketplace app, API integration, or OAuth integration that is connected to their SaaS data. If you can't enumerate your connected apps, you can't defend them."
This visibility gap creates exactly the conditions attackers exploit. User-installed Salesforce connected apps that operate outside administrative oversight create OAuth token risks that security teams cannot manage because they cannot see them. When these tokens are compromised, attackers inherit trusted access, bypassing traditional security controls, including multi-factor authentication.
Identity Security Posture Management: Bringing connected app risks into the light
Identity Security Posture Management addresses visibility gaps for connected apps. One method is by detecting user-installed Salesforce connected apps that are unmanaged by administrators. This capability provides security teams with the critical insight they need to understand their actual OAuth token exposure.
The Identity Security Posture Management interface reveals the hidden landscape of connected applications within your Salesforce environment. Each detected app shows the user who installed it. The system identifies that these apps "may allow 3rd parties to bypass security controls using OAuth tokens, potentially leading to unauthorized access and exfiltration."
Instead of discovering risky integrations during breach investigations, security teams can identify and remediate these risks before attackers exploit them.
Salesforce connected apps are one of multiple Workload App Identities that Identity Security Posture Management covers — learn more in this blog post.
Beyond service accounts: The complete non-human identity picture
The Salesloft incident illuminated a crucial gap in how organizations approach identity security. While many security solutions focus exclusively on service accounts, the reality is that non-human identities encompass a much broader spectrum of risk. Connected applications, OAuth integrations, API keys, and automated workflows all represent potential attack vectors.
Identity Security Posture Management addresses this comprehensive challenge by providing unified visibility across all identity types, including the Salesforce-connected apps that other solutions overlook. This broader perspective is essential because modern attacks increasingly target the connections between applications rather than the applications themselves.
When threat actors compromise OAuth tokens from trusted integrations, they gain legitimate access that traditional security tools struggle to detect. Organizations with comprehensive identity visibility can quickly assess the full scope of potential exposure and take systematic remediation actions.
The lesson is clear: in an environment where trusted integrations can become attack vectors overnight, comprehensive identity security visibility is not optional. The organizations that remain resilient will be those that invest in capabilities providing continuous visibility into all identity types, including the connected applications that create OAuth token risks.
Your next step: See how Identity Security Posture Management can provide the comprehensive connected app visibility your organization needs. Visit our Identity Security Posture Management page to learn more about securing your complete identity landscape and reducing risks across all non-human identities.
