SaaS Integrations: When Convenience Becomes the Attack Surface
Google's Threat Intelligence team recently published findings on data theft campaigns exploiting integrations between Salesforce, Drift, and Salesloft. The research highlights a growing challenge in cybersecurity: the risk isn't always in the core application, but in the web of connections that tie platforms together. These integrations are designed to increase efficiency, but they can also silently expand the attack surface. A single OAuth token, once granted, may continue to live on even after an app is retired. If abused, that token can provide adversaries with broad access across business-critical platforms. Systemic Risks, Not Isolated Failures This incident is not about one company doing something wrong. It's a systemic problem. SaaS tokens are built for convenience, but they don't always align with the realities of secure lifecycle management. In one example, a token tied to an application decommissioned more than a year earlier was still active and later abused by attackers.…