Agentic AI, OAuth Token Security, and Lessons from the Salesloft Drift–Salesforce Breach
The recent breach targeting Salesforce customer instances (August 2025) via compromised OAuth tokens from the Salesloft Drift AI integration presents a critical case study in OAuth security and Agentic AI identity management for SaaS applications. The attack, attributed to the threat actor UNC6395, was a large-scale, automated credential harvesting operation impacting over 700 organizations. It highlights how modern business automation platforms—driven by agentic AI and interconnected APIs—can inadvertently amplify risk if token lifecycle and non-human identity (NHI) controls are overlooked.
What Happened and Why Agentic AI Is Relevant
A threat actor compromised Salesloft Drift’s backend, extracting long-lived OAuth access and refresh tokens issued for hundreds of Salesforce integrations. With these tokens, the attacker bypassed multi-factor authentication, methodically automated data exfiltration across instances, and focused on harvesting high-value secrets such as AWS keys and lightweight cloud credentials. The use of refresh tokens was key, allowing the attacker to maintain persistent access by continuously generating new, valid access tokens.
This incident is deeply relevant to the rise of Agentic AI. Systems like Salesloft's are designed to have AI agents act autonomously—researching accounts, identifying buyers, and triggering actions across application boundaries. This requires broad API access and persistent tokens, creating an ecosystem where non-human identities—"digital workers"—routinely control powerful credentials. As defined in the Cloud Security Alliance’s new guidance, traditional identity models were not designed for these dynamic and autonomous agents, raising new concerns over how their identities are managed and monitored at scale.
Technical Analysis
Compromise vector: Attackers breached the Drift AI application's cloud environment, exposing a multi-tenant token vault and gaining access to OAuth credentials for all connected Salesforce organizations. This was a classic SaaS supply chain attack; no Salesforce or OAuth protocol flaw was involved.
Attack automation: Using Python scripts with libraries like python-requests and aiohttp routed through Tor exit nodes, attackers systematically executed Salesforce Object Query Language (SOQL) queries for object types likely to store credentials (Cases, Accounts, Opportunities, and custom fields). Their primary goal was credential harvesting, searching for patterns like the AWS key prefix "AKIA".
Token abuse: The stolen OAuth tokens, particularly the long-lived refresh tokens, allowed programmatic access equivalent to the agentic AI’s automation privileges, sidestepping all user authentication barriers. This persistence rendered traditional security measures like MFA ineffective against the compromised application's identity.
Lifecycle gap: The breach exploited a common gap in SaaS integrations: OAuth tokens were long-lived and often had broad (“full access”) scopes. Most organizations rarely monitor the token's usage patterns or enforce robust rotation policies, treating the integration's non-human identity as a static, trusted entity rather than a dynamic actor that requires continuous validation.
Agentic AI and Identity Management: New Imperatives
The Cloud Security Alliance’s Agentic AI Identity Management approach argues that traditional identity frameworks are ill-suited for the dynamic nature of AI agents and urges organizations to treat these automation identities as “first-class” entities. This incident validates the CSA's core principles and highlights new security imperatives:
Discovery and Lifecycle Mapping: Organizations need a complete inventory of all agent tokens and non-human identities. The "set and forget" nature of the Drift integration created a massive blind spot. The CSA framework calls for treating each component of an agent system as a distinct workload identity with its own manageable lifecycle.
Short-Lived, Tightly Scoped Credentials: The CSA advocates for moving beyond static tokens toward ephemeral and just-in-time (JIT) access. Had the Drift agent been architected to request temporary, narrowly scoped credentials only for a specific task (e.g., syncing a single customer conversation), a compromised token would have been useless for mass data exfiltration.
Real-Time Monitoring and Anomaly Detection: The attackers attempted to hide their tracks by deleting query jobs. A modern, agent-aware security model, as proposed by the CSA, would incorporate behavior-based authentication. A single non-human identity suddenly querying hundreds of tenants from Tor exit nodes for credential-like strings is a significant anomaly that should have triggered an automated revocation of its privileges.
Dynamic Revocation and Zero Trust: The CSA framework extends Zero Trust principles to agents, requiring continuous verification for every action. In this breach, a single platform compromise exposed hundreds of tenants—a classic example of why agentic AI workflows require isolated secrets, granular access boundaries, and rapid cross-provider remediation mechanisms. The manual, coordinated revocation by Salesloft and Salesforce on August 20th came after a 10-day attack spree.
Recommendations for SaaS Ecosystems with Agentic AI
Audit and Re-Authenticate All High-Privilege Integrations: Immediately review all third-party applications with persistent access to critical SaaS platforms. Revoke and re-authenticate integrations like the one affected by the Drift incident, ensuring the new tokens are created with the principle of least privilege.
Scan for and Remove Embedded Secrets: Implement data discovery and masking tools to find and remove credential artifacts and other secrets stored in SaaS databases, especially within standard and custom objects used by agentic AI. This reduces the value of the data if exfiltrated.
Adopt Just-in-Time (JIT) Access for NHIs: For new AI integrations, pilot an architecture based on JIT principles, as advocated by the CSA. Instead of storing a powerful, long-lived token, use an identity broker that can mint short-lived, narrowly scoped credentials on-demand for specific tasks.
Implement Continuous Posture Management: Deploy SaaS Security Posture Management (SSPM) tools to continuously monitor for risky configurations, over-privileged integrations, and anomalous API usage patterns indicative of a compromised non-human identity.
Discussion
The Salesloft Drift–Salesforce breach is a wake-up call: as SaaS and AI automation expand, so do the responsibilities for token lifecycle and non-human identity governance. The incident demonstrated that traditional IAM models, built for human users and static permissions, are inadequate for securing autonomous agents. Security leaders should reference the Cloud Security Alliance Agentic AI Identity Management new approach to reinvent their strategies, ensuring token security and visibility keep pace with the new reality of an agent-driven enterprise.