Between August 8 and August 18, 2025, attackers used stolen OAuth tokens from the Salesloft-Drift integration to bulk-export data from Salesforce instances at 700+ organisations — including Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and Tanium. Salesloft disclosed it on August 20. Customers got formal notification through Fastly Service Advisories from September 4 onwards (Google Cloud threat intel, driftbreach.com tracker). The pattern matters more than the specific vendor: it shows what an OAuth-token compromise looks like when it scales. Every Indian SaaS has a connected-app surface that is vulnerable to the same class of attack. This is the 1-hour audit to run on your stack this weekend.
## The 60-second answer
Open your Google Workspace, Microsoft 365, Salesforce, Slack, and GitHub admin consoles. List every third-party app with active OAuth tokens. Revoke every token older than 90 days that nobody can name a business reason for. Rotate the rest. For the apps you keep, narrow the scopes to read-only where possible. We have walked five Indian SaaS teams through this since the Drift disclosure — every single one found 8-15 stale OAuth tokens nobody remembered granting.
## Why this matters now
The Drift breach is interesting not because chatbots got compromised, but because the attackers used legitimate OAuth tokens. Every defence built around "block bad domains" or "block bad IPs" failed — the requests came from Salesloft's real infrastructure with valid tokens. As Cloudflare put it in their disclosure, "the use of trusted, valid tokens means standard EDR or perimeter detection is largely useless" (Cloudflare disclosure).
The same class of attack works against any SaaS-to-SaaS integration. If your CRM is connected to your marketing tool, your finance tool, your support tool, and your AI chatbot — the attack surface is the union of all those vendors' security postures, not just your own. UNC6395 went specifically after support cases on Salesforce because that is where customer-shared secrets and credentials accumulate (Unit 42 threat brief).
## The 1-hour audit walkthrough
This is the audit we run with a founder and one engineer in a single Saturday morning. Coffee, two browser tabs, a fresh Notion doc. Each step has a verification you can complete before moving on.
## The 5-line shell script that lists active GitHub OAuth tokens for your org
The lesson: even firms with mature security programs got hit. The defence is not "be perfect" — it is "minimise blast radius." The fewer scopes a connected app has, the less an attacker walks away with when the upstream vendor is compromised.
## The 5 contract clauses to add to every new OAuth integration
When a sales team or marketing team next asks you to grant an OAuth integration, your security review should require five things:
700+
Organisations impacted by the Salesloft-Drift breach
10 days
Window when stolen OAuth tokens were active (Aug 8-18)
UNC6395
Threat actor cluster Mandiant attributed the campaign to
1 hour
Time to run this audit for a 30-person SaaS
The asymmetry that bites SMBs. Big tech firms were the headline victims, but the structural problem is worse for SMBs. A 30-person Indian SaaS will typically grant a new OAuth integration in 5 minutes during onboarding, then never review it. Six months later, the AI sales assistant trial that ended in February still has full read-write access to your CRM. UNC6395-style attackers know this and harvest tokens accordingly.
## The 6 places to audit (in order)
Google Workspace
admin.google.com → Security → API controls → App access control. Lists every app with OAuth scopes against your domain. Most orgs have 30-80 apps; 60% are unused.
Microsoft 365 / Entra
entra.microsoft.com → Identity → Applications → Enterprise applications. Sort by "Last sign-in." Anything unused for 90+ days is a candidate for revocation.
Salesforce
Setup → Connected Apps OAuth Usage. Salesforce showed every Indian admin we worked with at least 4 connected apps that had not been used in 6+ months.
Slack
Workspace admin → Apps → Manage. Look for old AI assistants, sales tools, calendar bots. Revoke anything with broader scope than business need.
GitHub Org
github.com/organizations/[org]/settings/installations + Personal access tokens. PATs from former employees are the most-found vulnerability we encounter.
Stripe / payment / banking
Stripe dashboard → Developers → API keys + Connected accounts. Restricted keys with broad scopes are a common gap. Every org should also know who has banking-portal access — separate from OAuth but same hygiene principle.
1
Minute 0-10: Inventory Google Workspace OAuth grants
Sign in to admin.google.com. Navigate Security → API controls → App access control → Manage Google Services. Then click "Manage third-party app access." Export the full list to CSV. Most 30-person orgs see 40-80 apps. Highlight any that nobody on the team can name a current business reason for. Verify: a CSV with at least: app name, granted by user, last activity, scopes.
2
Minute 10-15: Quick-revoke unused Google apps
For every app on your CSV with last activity older than 90 days AND that nobody on the team can name, click "Block." Then have one person on the team test the next morning that nothing critical broke. Most orgs cut 40% of their app list this way without breaking anything.
3
Minute 15-25: Microsoft 365 / Entra audit
If you also use Microsoft, sign in to entra.microsoft.com → Identity → Applications → Enterprise applications. Filter by "Last sign-in date" before 90 days ago. Disable user sign-ins for those apps (does not delete; reversible). Verify no internal users are blocked from a workflow they need.
4
Minute 25-35: Salesforce / CRM connected apps
In Salesforce: Setup → Connected Apps OAuth Usage. Lists every app with active OAuth tokens. Sort by "Last Used Date." For unused apps, click "Revoke." For active apps, click into each and check the OAuth scopes — do they really need "API access" if they only read leads? Narrow scopes where possible.
5
Minute 35-45: Slack and GitHub
Slack workspace admin → Apps → Manage. Revoke unused ones. GitHub: organisations/[org]/settings/installations + your personal account → Settings → Developer settings → Personal access tokens. PATs from former employees show up here surprisingly often. Revoke immediately.
6
Minute 45-55: Stripe, payment, banking review
Stripe dashboard → Developers → API keys. Identify any "live" mode unrestricted keys older than 6 months and rotate them. Check Connected accounts and webhooks. Separately, pull a list of every human with banking-portal access — most ops teams do not know this number off the top of their head.
7
Minute 55-60: Document and schedule next review
In your Notion: list of apps revoked, apps kept, scope changes made, owner for each remaining app. Add a calendar event for 90 days from today titled "OAuth audit — 60 minutes." Re-run.
#!/usr/bin/env bash
# Requires: gh CLI authenticated as an org admin
ORG="${1:-your-org-name}"
gh api "/orgs/${ORG}/installations" --paginate \
--jq '.installations[] | "\(.app_slug)\t\(.target_type)\t\(.created_at)\t\(.updated_at)"' \
| sort -t$'\t' -k4
# Output: app_slug, target_type, installed_at, last_updated_at (tab-separated)
# Anything with last_updated more than 90 days ago is a revocation candidate
gh-oauth-audit.sh, run with ./gh-oauth-audit.sh your-org-name. Five-line audit, output sorted by last activity. The same pattern works for any SaaS with an admin API — Slack, Salesforce, Microsoft Graph all expose equivalents.
## What broke for the named victims (and what you can copy)
| Victim | What got stolen | What they did right |
|---|---|---|
| Cloudflare | Salesforce case data including customer-shared secrets and tokens in support tickets | Disclosed quickly, rotated all secrets in support cases, published a transparent post-mortem |
| Zscaler | Customer contact information, business-related details, content from select Salesforce records | Notified affected customers individually, published technical details promptly |
| PagerDuty | Salesforce business contact data; no PD platform impact | Clear scoping in the disclosure — what was and was not affected |
| Palo Alto Networks | Limited Salesforce data; published Unit 42 detailed threat brief | Used the incident to publish indicators of compromise for the broader community |
| Tanium | Salesforce data exposure; disclosed within days | Issued a customer security advisory with concrete remediation steps |
- Vendor's most recent security questionnaire (SOC 2 Type II, ISO 27001, or both)
- Vendor's incident notification SLA — 24 hours or better; 48 hours is acceptable for non-critical apps
- Right to revoke OAuth tokens at any time without contractual penalty
- Specific list of OAuth scopes requested — challenge any "broad" scope and require justification
- Clause requiring vendor notification within 72 hours of any subcontractor breach affecting your data
The Drift-specific gotcha. If you ever used Salesloft-Drift or any Drift-integrated chatbot connected to Salesforce, even briefly between March and August 2025, treat your Salesforce data from that window as potentially exposed. The attackers harvested OAuth tokens between March and June; the active exfiltration was August 8-18. Even if your contract with Drift ended in May, your tokens may have been valid through the attack window. Rotate Salesforce credentials, audit support cases for shared secrets, notify any customer whose data appeared in an exfiltrated case.
## A real example — a 28-person Pune SaaS
A B2B SaaS in Pune (analytics for ops teams, ~600 paying customers) ran this audit on a Saturday morning in early September after the Drift disclosure made it to their LinkedIn feeds.
What we found in 47 minutes:
- 51 Google Workspace apps with active OAuth grants. 19 had no activity in 6+ months. Of those, 14 nobody could name. Revoked all 14 — nothing broke.
- 4 Slack apps from canceled trials. Revoked.
- 2 GitHub PATs from a former engineer who left in March. Revoked. Both had repo:write scope.
- 1 Stripe restricted key with broader scopes than needed (created during a tax integration setup that was abandoned). Rotated and tightened scopes.
- Their CRM integration with HubSpot was using "all-data" scope — narrowed to "contacts:read" + "deals:read" without breaking the dashboard that depended on it.
Total time: 51 minutes. Total cost: zero, except 51 minutes of founder + engineer time. The CTO told us he had not realised "stale OAuth grant from former employee" was even a category of risk until the Drift news made him look.
For background on the technical pattern, see our 2025 piece on the Salesforce-Gainsight breach SaaS-integration audit for India — which covers the same connected-app pattern in a different context. Together they form the cluster on third-party integration risk.
## The Reddit pulse
The r/cybersecurity threads on the Drift breach through August and September 2025 surface three patterns: defenders complaining that their EDR caught nothing because the requests used valid tokens; CISOs at impacted firms asking each other for indicator-of-compromise lists; and a recurring complaint that connected-app inventory tooling does not exist for SMBs at a price point under ₹50k/year. The middle group is the one to watch — community-shared IOCs from Mandiant and Unit 42 are now the practical baseline for OAuth-token-attack hunting.
The r/AskNetsec subreddit in early September had a recurring thread asking "how often should we audit OAuth grants?" — the consensus among practitioners was quarterly, with monthly preferred for orgs above 100 people.
## A founder note from our team
Our founder Vivek Singh wrote about this class of risk a few months ago — the broader pattern of supply-chain compromise via OAuth tokens. The shortest version of his argument: every SaaS your customers connect into your product is a potential lateral-movement path, and every SaaS you connect into is a potential ingress path. The math compounds.
For Indian SaaS specifically, the discipline is: minimise the number of integrations, narrow the scopes, audit every quarter, and revoke aggressively. The friction this creates with sales and marketing teams is real but manageable — and dramatically cheaper than being on the next Drift-style customer list.
For the broader ecosystem context, our piece on the Knownsec leak hardening checklist covers a similar 1-week tactical sprint pattern that pairs well with this 1-hour audit.
## FAQ
### How often should we run this audit?
Quarterly minimum for any SaaS over 20 people. Monthly for any SaaS handling regulated data (finance, health, education). Triggered re-audit any time a security advisory like the Drift one drops, OR an employee leaves, OR a vendor is replaced.
### What if we have no admin console for a vendor?
Then you have a deeper problem than OAuth audit — you have an unmanaged shadow-IT vendor. List who in your org granted access. Then either (a) get admin access, (b) revoke the integration, or (c) document the exception with a named owner and an explicit acceptance of risk by the founder/CTO.
### Are we required by DPDP to do this?
The DPDP Act (and the upcoming Rules) requires reasonable security safeguards. An OAuth-grant audit is part of the baseline. The Act does not specify "quarterly OAuth audit" — it specifies the outcome (data is safeguarded). The audit is the cheapest way to show you are meeting that outcome standard.
### What is the difference between OAuth tokens and API keys?
OAuth tokens are issued by an OAuth flow with explicit user consent and limited scopes; they are typically scoped to a specific user's permissions. API keys are typically issued by an admin and have broader, often static, scopes. Both are credentials and both must be inventoried, rotated, and audited. The Drift attackers stole OAuth tokens, but the same defensive disciplines apply to API keys.
### Can we automate this audit?
Partially. Tools like AppOmni, Obsidian Security, and Adaptive Shield offer SaaS Security Posture Management (SSPM) for connected apps. Annual costs typically start around ₹6-15 lakh for SMBs — beyond most early-stage budgets. The 1-hour manual audit is the practical alternative until you cross 100 employees or hold regulated data.
### What about consumer Google accounts on personal devices?
If employees access company Google Workspace via personal devices, audit those too — at minimum require MDM enrolment for managed devices. OAuth grants made from a personal device are no less risky than those from a managed laptop.
### What did Salesloft and Drift do wrong, technically?
Investigators believe attackers compromised Salesloft's GitHub environment between March and June 2025, then pivoted to Drift's AWS environment to exfiltrate OAuth tokens. The most-named root causes in third-party analyses are: secrets stored in GitHub Actions, lack of detection on AWS principal anomalies, and OAuth tokens that did not expire fast enough. Each of these is a defence you can replicate.
### What is the SaaS-vendor security questionnaire we should send going forward?
Minimum 5 questions: (1) Latest SOC 2 Type II report, (2) Incident-notification SLA, (3) Subprocessor list and whether DPAs are signed with each, (4) OAuth scopes required and justification for any broad scope, (5) Internal access-control practices for production data. Most reputable vendors will respond within 5 working days. Unresponsive vendors are themselves a signal.
Want a SaaS-integration audit on your stack?
We run a 1-hour OAuth and connected-app audit for Indian SaaS teams under 100 employees for ₹25,000 fixed price. You leave with: full inventory of grants across your top 6 admin consoles, recommended revocations and scope changes, and a 90-day re-audit calendar event. First call is with the engineer who would lead the audit.
Book a 20-min CallTags:
Salesloft DriftOAuthSaaS SecuritySupply Chain AttackCybersecurityAuditSalesforce
