Google’s Threat Intelligence team recently published findings on data theft campaigns exploiting integrations between Salesforce, Drift, and Salesloft. The research highlights a growing challenge in cybersecurity: the risk isn’t always in the core application, but in the web of connections that tie platforms together.
These integrations are designed to increase efficiency, but they can also silently expand the attack surface. A single OAuth token, once granted, may continue to live on even after an app is retired. If abused, that token can provide adversaries with broad access across business-critical platforms.
Systemic Risks, Not Isolated Failures
This incident is not about one company doing something wrong. It’s a systemic problem. SaaS tokens are built for convenience, but they don’t always align with the realities of secure lifecycle management. In one example, a token tied to an application decommissioned more than a year earlier was still active and later abused by attackers.
The reality is that no organization can reasonably expect to outpace every adversary when vendors, tokens, and notifications all move at different speeds. This is less about “what security teams missed” and more about recognizing the structural challenges of today’s SaaS ecosystem.
Recommendations for Affected Organizations
If your organization has ever used Drift, Salesloft, or similar integrations with Salesforce or Google Workspace, consider the following steps immediately:
-
Revoke legacy tokens – Audit connected applications in your Google Workspace and Salesforce environments. Revoke OAuth tokens tied to Drift, Salesloft, or other unused apps.
-
Check for anomalous activity – Review Google Workspace and Salesforce logs for unusual API calls, mass exports, or authentication attempts tied to these integrations.
-
Force re-authentication – For active integrations, require new OAuth grants to ensure stale tokens are invalidated.
-
Engage incident response – If suspicious activity is found, follow standard IR playbooks: contain, investigate, and report.
-
Communicate internally – Ensure business units know why integrations are being reviewed and the risks involved. This helps avoid “shadow IT” reauthorizing old apps.
Building Resilience in a SaaS World
Organizations can’t eliminate these risks entirely, but they can reduce exposure:
-
Review and revoke tokens regularly – Especially those tied to applications no longer in use.
-
Enhance monitoring – Track anomalous OAuth activity rather than relying solely on vendor alerts.
-
Limit scopes – Grant only the access permissions required, reducing the impact if a token is abused.
-
Demand transparency – Vendors must provide timely, clear notifications and more visibility into integration security.
Looking Ahead
The larger message is clear: as SaaS ecosystems grow, the connective tissue between applications becomes just as valuable a target as the applications themselves. Attackers understand this, and defenders must adjust accordingly.
Rather than placing blame on victims, the focus must remain on building resilience—acknowledging that integrations will continue to be exploited and preparing accordingly. SaaS remains a powerful tool, but only when paired with proactive security practices and shared responsibility between vendors and customers.