VYPR
breachPublished May 5, 2026· Updated May 17, 2026· 1 source

Persistent OAuth Tokens Emerge as Major Security Blind Spot Following Drift Breach

A sophisticated campaign targeting the sales engagement platform Drift has exposed the systemic risks of persistent OAuth tokens, which allow attackers to bypass MFA and gain long-term access to sensitive cloud environments.

The persistent nature of OAuth tokens has emerged as a significant security blind spot, as demonstrated by a recent campaign targeting the sales engagement platform Drift. Unlike traditional credentials, OAuth grants often lack expiration dates and do not automatically revoke when an employee leaves an organization or updates their password. Because these tokens operate outside the scope of traditional perimeter defenses and multi-factor authentication (MFA), they provide attackers with a stealthy, legitimate pathway into sensitive cloud environments The Hacker News.

The technical mechanism relies on the inherent design of OAuth, which allows third-party applications to maintain access to services like Google or Microsoft environments indefinitely. When an attacker secures a valid OAuth refresh token—often through initial phishing campaigns—they can impersonate the authorized application. Because the attacker presents a legitimate, pre-authorized token, they effectively bypass MFA and perimeter security controls, as no traditional "login" event occurs The Hacker News.

The severity of this risk was highlighted by the compromise of Drift, a platform integrated into hundreds of Salesforce environments. A threat actor identified by Palo Alto Unit 42 as UNC6395 leveraged stolen OAuth refresh tokens to gain unauthorized access to Salesforce instances across more than 700 organizations. Once inside, the threat actor systematically exfiltrated data, specifically hunting for high-value credentials such as AWS access keys, Snowflake tokens, and passwords. High-profile organizations, including Cloudflare and PagerDuty, were among those affected by the breach The Hacker News.

Despite widespread recognition of the danger, organizational response remains inadequate. Research from Material Security indicates that while 80% of security leaders classify unmanaged OAuth grants as a critical or significant risk, 45% of organizations perform no monitoring of these grants at scale. Many others rely on manual, ad hoc processes like spreadsheets, which fail to provide the continuous oversight necessary to detect when a trusted application’s credentials have been weaponized The Hacker News.

Current security tools often focus solely on the initial installation phase, such as evaluating requested permission scopes or checking vendor reputation. While these measures are useful, they are insufficient against the Drift-style scenario, where a previously trusted application is compromised and subsequently used for malicious activity. Effective mitigation requires moving beyond passive acceptance toward continuous monitoring of the actual API calls and actions performed by integrated applications The Hacker News.

This incident underscores a shift in the threat landscape where attackers are moving away from brute-forcing credentials toward exploiting the trust relationships inherent in modern cloud ecosystems. As organizations continue to integrate AI tools and workflow automations, the volume of persistent OAuth tokens will likely grow, making centralized visibility and behavioral monitoring essential components of a modern security posture. Security teams must now treat OAuth integrations not as "set-and-forget" configurations, but as active, ongoing attack vectors that require constant vigilance The Hacker News.

Synthesized by Vypr AI