Safeguarding Salesforce: What You Need to Know About the OAuth Token Compromise
Rapid7, Wednesday, September 3rd, 2025
Google Cloud Threat Intelligence recently reported a data theft campaign targeting Salesforce customers through compromised OAuth tokens. In this case, attackers stole Salesforce OAuth and refresh tokens from a third-party integration (Salesloft Drift) and used them to access and exfiltrate sensitive data including AWS access keys, passwords, and Snowflake tokens.
OAuth tokens are trusted by Salesforce and can provide persistent access without requiring stolen passwords or bypassing multi-factor authentication (MFA). This makes token abuse especially difficult to detect through traditional security controls.
What this means for potentially impacted organizations
If an attacker obtains OAuth tokens, they can access Salesforce data with the same privileges as a legitimate application or user. Because Salesforce trusts these tokens, malicious activity can occur without raising the typical alarms you would expect from account compromise. In this campaign, stolen Salesforce tokens were used to retrieve cloud credentials, which were then leveraged to target downstream services such as AWS and Snowflake.