Why OAuth Blind Spots Keep Putting SaaS Supply Chains at Risk

When Drift, acquired by Salesloft last year, suffered a breach in August 2025, the incident underscored a problem security teams have long underestimated: OAuth integrations.

Attackers leveraged stolen tokens to move laterally, gaining access to Salesforce and Google Workspace environments across hundreds of organizations. The breach highlights how OAuth—a technology meant to simplify identity and integration—has become a blind spot in Software-as-a-Service (SaaS) security.

We spoke with Jaime Blasco, CTO and co-founder of Nudge Security, to break down what happened, why OAuth tokens are so dangerous, and what IT teams can do to prevent similar incidents.

The breach that spread through Salesforce

The attack began in March, when the threat group UNC6395 gained access to Drift’s GitHub repositories.

“For a few months, they were trying to get access to the environment, understand it,” Blasco explained. “Then, around July, they pivoted into the AWS environment. Once there, they stole all tokens from different integrations that Drift provides.”

Those integrations included Salesforce and Google Workspace. According to Blasco, more than 700 companies were likely affected.

The attackers then combed through Salesforce support cases, looking for customer credentials—a tactic seen before in breaches involving Okta and Cloudflare.

Why OAuth tokens are vulnerable

OAuth tokens are designed to grant persistent trust between applications. But when attackers obtain them, traditional defenses like multi-factor authentication (MFA) offer no protection.

“Once you’ve got that OAuth token in your hands, it’s game over,” said Blasco. “MFA and other controls are useless, because OAuth is a non-human identity. From now on, you trust Drift with those credentials—and there’s no continuous authentication.”

Some companies mitigated the attack. Okta, for example, blocked token misuse by restricting Salesforce access to known IP ranges. But most organizations lack these safeguards.

Missed opportunities for detection

Could Drift have stopped the attackers earlier? Possibly.

“From a cloud security perspective, there are ways vendors can implement detection,” Blasco said. “Even if it happens, being able to find it quickly and prevent the use of those credentials is the right thing to do.”

Yet many companies don’t forward SaaS logs, restrict OAuth token lifespans, or enforce session timeouts. That leaves integrations wide open once a token is stolen.

The SaaS security mess

Blasco sees three recurring mistakes among IT and security teams:

1. No visibility – “A large number of organizations don’t even know which SaaS providers they use, what integrations exist, or who owns them.”
2. No approval process – Shadow IT enables departments like Marketing to spin up integrations without oversight.
3. No posture management – Few organizations enforce recommended settings or monitor changes in real time.

The result: a fragmented SaaS landscape where attackers can quietly exploit blind spots.

A different way to discover SaaS

Nudge Security aims to fix that. Its platform discovers shadow SaaS by analyzing machine-generated onboarding emails—like the “Welcome to Salesforce” messages employees receive when spinning up accounts.

“We use APIs from Google and Microsoft to scan those machine-generated emails,” Blasco explained. “That gives us a fast, accurate inventory of SaaS apps.”

From there, the platform maps integrations, flags misconfigurations, and even nudges employees in real time with security guidance.

Check out the full conversation with Jaime Blasco on YouTube.

Shadow SaaS meets shadow AI

If shadow SaaS has been a longstanding problem, shadow AI is making it worse. Employees are adopting AI tools outside IT’s control, often exposing sensitive data to unvetted startups.

“We thought shadow SaaS was a huge problem—wait until you hear about shadow AI,” said Blasco. “AI adoption is just making the shadow problem even bigger.”

As AI agents mature, they’ll rely on OAuth, API keys, and new protocols to access data—widening the attack surface even further.

Where security teams should start

Despite the complexity, Blasco insists teams should begin with the fundamentals:

“You can’t protect what you can’t see. Start with an inventory of applications, enforce MFA, and configure your integrations with timeouts and IP restrictions.”

The Salesloft/Drift breach may not be the last of its kind—but it’s a warning shot. Without better visibility and tighter controls, OAuth will remain an Achilles’ heel in the SaaS supply chain.