Token theft is a number one explanation for SaaS breaches. Uncover why OAuth and API tokens are sometimes missed and the way safety groups can strengthen token hygiene to forestall assaults.
Most corporations in 2025 depend on a complete vary of software-as-a-service (SaaS) purposes to run their operations. Nonetheless, the safety of those purposes is dependent upon small items of information known as tokens. Tokens, like OAuth entry tokens, API keys, and session tokens, work like keys to those purposes. If a cybercriminal will get maintain of 1, they will entry related programs with out a lot bother.
Latest safety breaches have proven that only one stolen token can bypass multi-factor authentication (MFA) and different safety measures. As a substitute of exploiting vulnerabilities immediately, attackers are leveraging token theft. It is a safety concern that ties into the broader subject of SaaS sprawl and the problem of monitoring numerous third-party integrations.
Latest Breaches Involving Token Theft
A whole lot of real-world occasions present us how stolen tokens may cause safety breaches in SaaS environments:
1. Slack (Jan 2023). Attackers stole quite a lot of Slack worker tokens and used them to achieve unauthorized entry to Slack’s personal GitHub code repositories. (No buyer knowledge was uncovered, however it was a transparent warning that stolen tokens can undermine inside safety limitations.)
2. CircleCI (Jan 2023). Info-stealing malware on an engineer’s laptop computer allowed risk actors to hijack session tokens for CircleCI’s programs. These tokens gave the attackers the identical entry because the consumer, even with MFA in place, enabling them to steal buyer secrets and techniques from the CI platform.
3. Cloudflare/Okta (Nov 2023). Within the fallout of an identification supplier breach, Cloudflare rotated about 5,000 credentials. Nonetheless, one unrotated API token and a few service account credentials have been sufficient for cybercriminals to compromise Cloudflare’s Atlassian setting. This incident confirmed how a single forgotten token can undermine an in any other case thorough incident response.
4. Salesloft/Drift (Aug 2025). The Drift chatbot (owned by Salesloft) suffered a supply-chain breach that allowed attackers to reap OAuth tokens for integrations like Salesforce and Google Workspace. Utilizing these stolen tokens, they accessed tons of of buyer organizations’ SaaS knowledge. This OAuth token abuse allowed the attackers to maneuver laterally into emails, information, and help data throughout platforms.
SaaS Sprawl Fuels Token Blind Spots
Why do these token-based breaches preserve occurring?
The problem is larger than any single app, it is an ecosystem drawback fueled by sprawling SaaS utilization and hidden token belief relationships between apps.
Right this moment, each division is leveraging SaaS instruments and integrating them throughout programs. Workers use a number of third-party cloud companies, and enterprises handle roughly 490 cloud apps, lots of that are unsanctioned or not correctly secured.
This excessive utilization of SaaS (typically known as SaaS sprawl) means an explosion of OAuth tokens, API keys, and app connections. Every integration introduces a non-human identification (basically a credential) that normally is not seen to IT or tracked by conventional identification administration options.
The general results of that is an ungoverned assault floor. Just a few elements usually contribute to this blind spot:
• Lack of visibility. Many organizations do not truly learn about all of the SaaS apps and integrations their staff have enabled, or who approved them. Shadow IT (staff including apps with out approval) prospers, and safety groups could solely uncover an OAuth connection after it has created an issue.
• No approval or oversight. With no vetting course of, customers can freely join apps like advertising plugins or productiveness instruments to company SaaS accounts. These third-party apps typically ask for broad permissions and get them, even when they’re solely wanted briefly. Unvetted and over-privileged apps can sit linked indefinitely if no person critiques them.
• No common monitoring. Only a few corporations implement safety settings on OAuth integrations or watch these connections in actual time. Tokens not often have brief lifetimes or strict scope by default, and organizations typically do not restrict their utilization by IP or machine. Logs from SaaS integrations may also not be fed into safety monitoring.
Why Legacy Safety Misses the Token Drawback
As such, conventional safety instruments have not totally caught as much as this drawback in any respect.
Single sign-on (SSO) and multi-factor authentication shield consumer logins, however OAuth tokens bypass these controls. They grant persistent belief between apps with no additional verification.
A token acts on behalf of a consumer or service without having a password, so an attacker who obtains a sound token can entry the linked app’s knowledge as in the event that they have been already authenticated. There isn’t any pop-up to re-check MFA when an OAuth token is used. Consequently, with out particular oversight, OAuth and API tokens have grow to be an Achilles’ heel in SaaS safety. Different legacy options, like cloud entry safety brokers, deal with user-to-app site visitors and do not monitor these app-to-app connections.
This hole has led to the arrival of dynamic SaaS safety platforms that purpose to find and safe SaaS integrations amid SaaS sprawl. These platforms try to map out all of the third-party apps, tokens, and privileges in use, giving again visibility and management. Whether or not by way of automated discovery (scanning for linked apps) or imposing insurance policies on OAuth utilization, the aim is to shut the SaaS safety hole created by unchecked tokens.
On the finish of the day, each group, with or with out new instruments, can apply higher token hygiene practices. You’ll be able to’t shield what you may’t see. Step one is understanding the place your tokens and SaaS integrations are. The subsequent is controlling and monitoring them so they do not grow to be backdoors.
Token Hygiene Guidelines
The next guidelines can be utilized to cut back danger from token compromise:
Follow
Motion
Y/N
Keep OAuth App Stock
Uncover and monitor all third-party purposes linked to your SaaS accounts. Preserve an up to date stock of OAuth tokens, API keys, and integrations. This offers visibility into your token footprint.
Implement App Approval
Set up a vetting course of for brand spanking new SaaS integrations. Require safety assessment or admin approval earlier than staff grant OAuth entry to their accounts. This curbs unvetted apps and ensures every token issued is important and comes with recognized dangers.
Least-Privilege Tokens
Restrict the scope and permissions of tokens to the minimal required. Keep away from granting overly broad entry (“enable all”) when authorizing an app. For instance, if an app solely wants learn entry, do not give it read-write admin privileges. Least privilege reduces the affect if a token is stolen.
Rotate Tokens Often
Deal with long-lived tokens like expiring credentials. Configure tokens to run out after a brief interval, if doable, or periodically revoke and reissue them. Common rotation (or brief lifespans) means a stolen token will rapidly grow to be ineffective, narrowing an attacker’s window of alternative.
Take away or Alert on Unused Tokens
Establish tokens and app connections that have not been utilized in weeks or months. Unused tokens are latent threats – revoke them if they are not wanted. Implement alerts or studies for dormant tokens in order that they are often cleaned up proactively, stopping forgotten credentials from lingering indefinitely.
Monitor Token Exercise
Allow logging and monitoring for token use throughout your SaaS platforms. Look ahead to uncommon token exercise, similar to a usually unused integration all of a sudden making giant knowledge requests or entry from odd places. Arrange alerts for anomalies in token utilization (e.g. a spike in API calls, or use of a token from an unfamiliar IP).
Combine Tokens into Offboarding
When staff depart or when a third-party app is retired, guarantee their tokens and entry keys are promptly revoked. Make token revocation a normal step in consumer offboarding and app lifecycle administration. This prevents previous credentials from persisting after they’re not wanted.
