Key management has always been the heart of cybersecurity. From the days of passwords to certificates, the biggest question has never changed: how do you manage and keep the integrity of keys intact?

In today’s interconnected world — where so much communicates through APIs and integrations — those keys are the master credentials that unlock the kingdom. When someone compromises them, especially the long-lived tokens used for API access, the result can be catastrophic.

That’s exactly what the recent Salesloft breach proved. In mid-September 2025, threat group UNC6395 stole OAuth tokens used by the Salesloft–Drift integration. Those stolen credentials opened a trusted gateway into customers’ Salesforce environments, giving attackers access to sensitive sales and customer data across hundreds of organizations.  

The campaign was efficient and stealthy — no malware, no exploit kits — just hijacked trust.

While it’s unclear the number of Salesforce customers that were impacted, the real story isn’t just about numbers. It’s about the fragility of the trust model. One compromised integration can gave attackers a “master key” to connected systems downstream.  

Stolen OAuth tokens: the new blueprint for breaches

I wouldn’t call this an evolution of supply-chain attacks since SolarWinds — I’d call it an awakening.  ‍

SolarWinds taught adversaries the value of the weakest link: a highly integrated vendor that isn’t as hardened as the enterprises it serves.  

Compromise that link, and you gain access to many others targets. SolarWinds didn’t just change how attackers operate; it became the template for mass hacking.

‍OAuth tokens have become the new crown jewels. An OAuth token is delegation — you’re giving something else the ability to impersonate you. If I can grab that token, I become you.  

The beauty for attackers is that the victim has already granted that application permission to act on their behalf. If it’s compromised, the attacker inherits that trust. Convenience has a cost, and in this case, the cost was systemic exposure.

When convenience becomes the weakest link

The broader truth is that the more convenience we pursue without the example of a key tennet of resilience like assuming breach with zero trust Zero Trust, the more control we delegate. And when someone compromises that delegation, they compromise us.  

APIs make this even harder to detect because the abuse looks legitimate. APIs are like a car with tinted windows — people assume it’s you inside. The only way to know otherwise is to open the door.  

That assumption of trust makes malicious behavior almost invisible.

Even the most sophisticated organizations are vulnerable. Many don’t know all the integrations or tokens in use. Some credentials were created years ago and never rotated.  

That mix of shadow IT, social engineering, and long-lived credentials means exposure can persist for months, long after an incident appears contained.

Building a safer, breach-ready model with Zero Trust

Fixing this isn’t just a technology problem — it’s a process one. Token management, credential rotation, and continuous revalidation aren’t glamorous, but they’re essential.  

Vendors ship new features faster than security teams can test them. CISOs fight expanding risk with static budgets. Meanwhile, the attack surface can grow with every new API connection.

Business users often assume their SaaS tools are inherently secure, but without embedding them into a Zero Trust strategy, that assumption may not match reality. Often the focus is on numbers, efficiency, and customer satisfaction, not security.  

Compensation drives behavior, and because security isn’t tied to success metrics necessarily, it can be an afterthought. That’s why Zero Trust security awareness and controls must be embedded into daily operations, not treated as optional extras.

Ultimately, this breach is a wake-up call. Visibility and Zero Trust are the new perimeter. You need to see what’s normal, detect what’s not, and act fast when behavior changes.  

Because once an attacker holds a trusted key, the door to your digital kingdom may be open.