Token theft is a number one reason for SaaS breaches. Uncover why OAuth and API tokens are sometimes missed and the way security groups can strengthen token hygiene to forestall assaults.
Most firms in 2025 depend on an entire vary of software-as-a-service (SaaS) functions to run their operations. Nevertheless, the security of those functions is dependent upon small items of knowledge referred to as tokens. Tokens, like OAuth entry tokens, API keys, and session tokens, work like keys to those functions. If a cybercriminal will get maintain of 1, they will entry related methods with out a lot hassle.
Current security breaches have proven that only one stolen token can bypass multi-factor authentication (MFA) and different security measures. As a substitute of exploiting vulnerabilities instantly, attackers are leveraging token theft. It is a security concern that ties into the broader challenge of SaaS sprawl and the problem of monitoring numerous third-party integrations.
Current Breaches Involving Token Theft
A number of real-world occasions present us how stolen tokens could cause security breaches in SaaS environments:
1. Slack (Jan 2023). Attackers stole quite a lot of Slack worker tokens and used them to achieve unauthorized entry to Slack’s non-public GitHub code repositories. (No buyer information was uncovered, nevertheless it was a transparent warning that stolen tokens can undermine inside security limitations.)
2. CircleCI (Jan 2023). Info-stealing malware on an engineer’s laptop computer allowed risk actors to hijack session tokens for CircleCI’s methods. These tokens gave the attackers the identical entry because the person, even with MFA in place, enabling them to steal buyer secrets and techniques from the CI platform.
3. Cloudflare/Okta (Nov 2023). Within the fallout of an identification supplier breach, Cloudflare rotated about 5,000 credentials. Nevertheless, one unrotated API token and a few service account credentials have been sufficient for cybercriminals to compromise Cloudflare’s Atlassian atmosphere. This incident confirmed how a single forgotten token can undermine an in any other case thorough incident response.
4. Salesloft/Drift (Aug 2025). The Drift chatbot (owned by Salesloft) suffered a supply-chain breach that allowed attackers to reap OAuth tokens for integrations like Salesforce and Google Workspace. Utilizing these stolen tokens, they accessed a whole lot of buyer organizations’ SaaS information. This OAuth token abuse allowed the attackers to maneuver laterally into emails, recordsdata, and help data throughout platforms.
SaaS Sprawl Fuels Token Blind Spots
Why do these token-based breaches maintain occurring?
The problem is larger than any single app, it is an ecosystem downside fueled by sprawling SaaS utilization and hidden token belief relationships between apps.
At this time, each division is leveraging SaaS instruments and integrating them throughout methods. Workers use a number of third-party cloud companies, and enterprises handle roughly 490 cloud apps, lots of that are unsanctioned or not correctly secured.
This excessive utilization of SaaS (usually referred to as SaaS sprawl) means an explosion of OAuth tokens, API keys, and app connections. Every integration introduces a non-human identification (primarily a credential) that normally is not seen to IT or tracked by conventional identification administration options.
The general results of that is an ungoverned assault floor. Just a few components usually contribute to this blind spot:
• Lack of visibility. Many organizations do not really find out about all of the SaaS apps and integrations their workers have enabled, or who licensed them. Shadow IT (workers including apps with out approval) thrives, and security groups might solely uncover an OAuth connection after it has created an issue.
• No approval or oversight. And not using a vetting course of, customers can freely join apps like advertising and marketing plugins or productiveness instruments to company SaaS accounts. These third-party apps usually ask for broad permissions and get them, even when they’re solely wanted briefly. Unvetted and over-privileged apps can sit linked indefinitely if no one evaluations them.
• No common monitoring. Only a few firms implement security settings on OAuth integrations or watch these connections in actual time. Tokens hardly ever have brief lifetimes or strict scope by default, and organizations usually do not restrict their utilization by IP or machine. Logs from SaaS integrations may also not be fed into security monitoring.
Why Legacy Safety Misses the Token Drawback
As such, conventional security instruments have not totally caught as much as this downside in any respect.
Single sign-on (SSO) and multi-factor authentication defend person logins, however OAuth tokens bypass these controls. They grant persistent belief between apps with no additional verification.
A token acts on behalf of a person or service while not having a password, so an attacker who obtains a sound token can entry the linked app’s information as in the event that they have been already authenticated. There is not any pop-up to re-check MFA when an OAuth token is used. Consequently, with out particular oversight, OAuth and API tokens have change into an Achilles’ heel in SaaS security. Different legacy options, like cloud entry security brokers, give attention to user-to-app site visitors and do not monitor these app-to-app connections.
This hole has led to the arrival of dynamic SaaS security platforms that purpose to find and safe SaaS integrations amid SaaS sprawl. These platforms try and map out all of the third-party apps, tokens, and privileges in use, giving again visibility and management. Whether or not by way of automated discovery (scanning for linked apps) or implementing insurance policies on OAuth utilization, the aim is to shut the SaaS security hole created by unchecked tokens.
On the finish of the day, each group, with or with out new instruments, can apply higher token hygiene practices. You possibly can’t defend what you possibly can’t see. Step one is figuring out the place your tokens and SaaS integrations are. The following is controlling and monitoring them so they do not change into backdoors.
Token Hygiene Guidelines
The next guidelines can be utilized to cut back danger from token compromise:
| Follow | Motion | Y/N |
|---|---|---|
| Keep OAuth App Stock | Uncover and observe all third-party functions linked to your SaaS accounts. Hold an up to date stock of OAuth tokens, API keys, and integrations. This supplies visibility into your token footprint. | |
| Implement App Approval | Set up a vetting course of for brand spanking new SaaS integrations. Require security evaluate or admin approval earlier than workers grant OAuth entry to their accounts. This curbs unvetted apps and ensures every token issued is important and comes with identified dangers. | |
| Least-Privilege Tokens | Restrict the scope and permissions of tokens to the minimal required. Keep away from granting overly broad entry (“enable all”) when authorizing an app. For instance, if an app solely wants learn entry, do not give it read-write admin privileges. Least privilege reduces the impression if a token is stolen. | |
| Rotate Tokens Usually | Deal with long-lived tokens like expiring credentials. Configure tokens to run out after a brief interval, if attainable, or periodically revoke and reissue them. Common rotation (or brief lifespans) means a stolen token will rapidly change into ineffective, narrowing an attacker’s window of alternative. | |
| Take away or Alert on Unused Tokens | Determine tokens and app connections that have not been utilized in weeks or months. Unused tokens are latent threats – revoke them if they are not wanted. Implement alerts or stories for dormant tokens in order that they are often cleaned up proactively, stopping forgotten credentials from lingering indefinitely. | |
| Monitor Token Exercise | Allow logging and monitoring for token use throughout your SaaS platforms. Look ahead to uncommon token exercise, similar to a usually unused integration abruptly making giant information requests or entry from odd places. Arrange alerts for anomalies in token utilization (e.g. a spike in API calls, or use of a token from an unfamiliar IP). | |
| Combine Tokens into Offboarding | When workers depart or when a third-party app is retired, guarantee their tokens and entry keys are promptly revoked. Make token revocation a regular step in person offboarding and app lifecycle administration. This prevents previous credentials from persisting after they’re now not wanted. |
