WNC logo
The Silent OAuth Epidemic

The Silent OAuth Epidemic

3/3/2025
WNC Labs
Cybersecurity
proofpoint
connected apps

In the span of just a few weeks, two major data breaches have exposed a critical vulnerability in the modern SaaS ecosystem: Salesforce connected apps and their OAuth token management. The recent attacks on Kering (affecting Gucci, Balenciaga, and Alexander McQueen) and the Salesloft Drift breach follow an eerily similar playbook, revealing a systemic security flaw that organizations worldwide must address immediately.

Two Breaches, One Common Thread

The Kering Attack: ShinyHunters Strike Luxury

In September 2025, French luxury conglomerate Kering fell victim to the ShinyHunters cybercriminal group, exposing 7.4 million customer records. The attack methodology was sophisticated yet alarmingly straightforward:

Attack Vector: Social engineering targeting Salesforce CRM systems

  • Hackers used vishing (voice phishing) to impersonate IT support staff

  • Employees were tricked into granting access to malicious Salesforce "connected apps"

  • OAuth tokens were exploited to gain persistent access without triggering MFA

Timeline: Initial breach occurred in April 2025, discovered in June

Impact: Names, addresses, phone numbers, purchase histories, and individual spending records were stolen

The Salesloft Drift Breach: A Supply Chain Nightmare

Just weeks earlier, the UNC6395 threat group (also known as GRUB1) executed one of the largest SaaS supply-chain attacks in history through the Salesloft Drift platform. The attack progression reveals the same OAuth exploitation pattern:

Initial Compromise: Attackers gained access to Salesloft's GitHub account between March-June 2025

  • Downloaded content from multiple repositories

  • Conducted reconnaissance for months before the main attack

OAuth Token Theft: Between August 8-18, 2025, attackers accessed Drift's AWS environment and stole OAuth tokens for customer integrations

Salesforce Exploitation: Using compromised tokens, attackers systematically:

  • Authenticated to Salesforce using connected app permissions

  • Enumerated objects and counted records to gauge scope

  • Launched Bulk API 2.0 jobs to export sensitive data at scale

  • Deleted job logs to cover their tracks

Massive Impact: Over 700 organizations affected, including Cloudflare, Proofpoint, Palo Alto Networks, and Google

The Alarming Pattern: OAuth Tokens as Digital Master Keys

Both breaches expose a fundamental flaw in how organizations manage third-party connected apps and their OAuth tokens. These attacks succeeded not because of Salesforce vulnerabilities, but because of the inherent trust model in OAuth-based integrations.

Why OAuth Tokens Are Cybercriminals' Dream

1. MFA Bypass Capability Once stolen, OAuth tokens provide persistent access without triggering multi-factor authentication. Attackers operate invisibly—no password prompts, no security alerts, no user interaction required.

2. Elevated Permissions Connected apps often receive broad permissions that may exceed what individual users actually need. A single compromised token can provide access to vast amounts of organizational data.

3. Persistence and Stealth Unlike traditional credentials, OAuth tokens can remain valid for extended periods, allowing attackers to maintain access for months. The Salesloft attackers had access from March through August 2025.

4. Cross-Platform Access Modern OAuth tokens often provide access to multiple integrated systems, not just the primary platform. The Drift breach affected not only Salesforce but also Google Workspace, Slack, and cloud storage systems.

The Hidden Risk: Connected Apps as Attack Vectors

Salesforce has recognized this growing threat. In August 2025, the company announced significant security changes to address OAuth-based attacks:

New Restrictions on Uninstalled Connected Apps

  • Users now need the "Approve Uninstalled Connected Apps" permission to use apps not formally installed in the organization

  • This prevents individuals from granting access without administrative oversight

Elimination of OAuth 2.0 Device Flow

  • Salesforce removed support for the OAuth Device Flow from Data Loader on September 2, 2025

  • This flow was being exploited in social engineering attacks to trick users into granting API access

The Broader SaaS Security Challenge

The problem extends far beyond Salesforce. Organizations now maintain thousands of SaaS integrations, each representing a potential entry point for attackers. As one security expert noted, "The ecosystem is the attack surface".

Key Statistics:

  • Gartner predicts 45% of organizations worldwide will experience supply chain attacks by 2025

  • Over 5,000 Salesloft customers were potentially affected by the Drift breach

  • Average organizations have hundreds of OAuth tokens active across their SaaS ecosystem

Where Proofpoint Fits: A Comprehensive Security Solution

The Kering and Salesloft Drift breaches demonstrate that traditional perimeter security is insufficient in the age of SaaS integrations. Organizations need comprehensive, multi-layered protection that addresses both human and technical vulnerabilities.

How Proofpoint Could Have Prevented These Attacks

1. Advanced Email Security & Anti-Phishing Protection

  • 99.99% efficacy rate against email-based threats

  • Real-time URL rewriting and browser isolation for suspicious links

  • AI-driven threat detection to identify social engineering attempts

2. Vishing & Social Engineering Defense

  • Specialized security awareness training targeting voice phishing attacks

  • Behavioral training to recognize IT impersonation tactics

  • Employee education about OAuth authorization risks and verification procedures

3. Threat Intelligence Integration

  • Monitoring of 3+ trillion email messages annually across 230,000+ customers

  • Early warning systems for emerging threats like ShinyHunters and UNC6395 campaigns

  • Threat-guided training tailored to specific attack patterns

4. Identity & Access Protection

  • Integration capabilities with Salesforce environments for enhanced monitoring

  • OAuth app governance and suspicious activity detection

  • Adaptive controls for high-risk users and applications

5. Data Loss Prevention (DLP)

  • Advanced DLP capabilities to prevent sensitive data exfiltration

  • Email encryption and data protection for confidential information

  • Real-time monitoring of unusual data access patterns

The Urgent Call for Action

The Kering and Salesloft Drift breaches are not isolated incidents—they represent a new category of supply chain attacks targeting the trusted integration layer that binds modern SaaS ecosystems together. Organizations must recognize that:

✅ Human-centric security is critical - 94% of data breaches start with email

✅ OAuth token management requires specialized attention and monitoring

✅ Third-party integrations need the same security scrutiny as core applications

✅ Multi-layered defenses combining technology and awareness are essential

✅ Proactive threat intelligence and training can prevent social engineering attacks

Moving Forward: A Security-First Integration Strategy

The luxury retail and SaaS sectors have faced multiple high-profile breaches this year. As attackers become more sophisticated in exploiting OAuth trust relationships, organizations need solutions that provide:

  • Comprehensive email security to stop phishing at the source

  • Advanced threat intelligence to identify emerging attack patterns

  • User awareness training tailored to specific threats like vishing

  • Integration security monitoring for OAuth tokens and connected apps

  • Data loss prevention to protect sensitive information from exfiltration

The bottom line: Your organization's security perimeter now extends to every OAuth token, every connected app, and every third-party integration in your ecosystem. The next social engineering call to your help desk might not be legitimate—and without comprehensive protection like Proofpoint, you might not know until it's too late. The connected app epidemic demands connected security solutions. The question isn't whether your organization will be targeted—it's whether you'll be prepared when the attack comes.

Related Articles

Salesforce Spring '26 Release: Unlocking Business Growth
salesforce

Salesforce Spring '26 Release: Unlocking Business Growth

Salesforce's Spring '26 release, now rolling out with early sandbox access as of January 9-10, 2026, emphasizes AI-powered setup, enhanced security, and streamlined admin tools.

How Salesforce AI and Data Cloud Will Shape Your 2026 Go-To-Market Strategy
Salesforce

How Salesforce AI and Data Cloud Will Shape Your 2026 Go-To-Market Strategy

Salesforce AI agents and Data Cloud form the backbone of 2026 GTM strategy, turning unified, real‑time customer data into trusted AI actions that boost productivity, forecast accuracy, personalisation, and revenue across sales, service, and key industries.