Token theft is a leading cause of SaaS breaches. Learn why OAuth and API tokens are often overlooked and how security teams can improve token hygiene to prevent attacks.
Most businesses in 2025 rely on all kinds of Software-as-a-Service (SaaS) applications to get their jobs done. However, the security of these applications relies on small pieces of data called tokens. Tokens such as OAuth access tokens, API keys, and session tokens act like keys for these applications. Once cybercriminals have this, they can access related systems without much trouble.
Recent security breaches have shown that it only takes one stolen token to bypass multi-factor authentication (MFA) and other security measures. Rather than directly exploiting vulnerabilities, attackers rely on token theft. This is a security concern related to the broader issue of SaaS sprawl and the difficulty of monitoring the myriad of third-party integrations.
Recent breaches related to token theft
Many real-world events demonstrate how stolen tokens can cause security breaches in SaaS environments.
1. Slack (January 2023). The attackers stole numerous Slack employee tokens and used them to gain unauthorized access to Slack’s private GitHub code repositories. (No customer data was compromised, but it was a clear warning that stolen tokens could weaken internal security barriers.)
2. CircleCI (January 2023). Malware that stole information on an engineer’s laptop allowed attackers to hijack session tokens on CircleCI’s systems. These tokens give attackers the same access as users, allowing them to steal customer secrets from your CI platform, even when MFA is configured.
3. Cloudflare/Okta (November 2023). Cloudflare rotated approximately 5,000 credentials as a result of the identity provider breach. However, a single unrotated API token and a few service account credentials were enough for cybercriminals to compromise Cloudflare’s Atlassian environment. This incident demonstrated how one forgotten token can derail a thorough incident response.
4. Salesloft/Drift (August 2025). The Drift chatbot (owned by Salesloft) suffered a supply chain breach that allowed attackers to collect OAuth tokens for integrations such as Salesforce and Google Workspace. The stolen tokens were used to access SaaS data for hundreds of customer organizations. This OAuth token exploitation allowed attackers to move emails, files, and support records laterally across platforms.
SaaS sprawl expands token blind spots
Why do token-based breaches like this keep happening?
This problem is bigger than a single app, it is an ecosystem problem fueled by unregulated SaaS usage and hidden token trust relationships between apps.
Every department is now leveraging SaaS tools and integrating them across their systems. Employees use multiple third-party cloud services, and businesses manage approximately 490 cloud apps, many of which are unlicensed or not properly secured.
This high SaaS usage (often referred to as SaaS sprawl) means an explosion of OAuth tokens, API keys, and app connections. Each integration introduces a non-human identity (essentially a credential) that is typically not visible to IT or tracked by traditional identity management solutions.
The overall result of this is an unmanaged attack surface. Generally, several factors contribute to this blind spot.
• Lack of visibility. Many organizations don’t actually know all the SaaS apps and integrations that their employees have enabled, or who approved them. Shadow IT (employees adding apps without approval) is prevalent, and security teams may only discover OAuth connections after an issue occurs.
• No approval or oversight. Users are free to connect apps like marketing plugins and productivity tools to their company’s SaaS account without any vetting process. These third-party apps often request and obtain extensive permissions, even if they are temporarily needed. Unvetted apps or apps with excessive privileges can remain connected indefinitely if no one reviews them.
• No regular monitoring. Few companies apply security settings to their OAuth integrations or monitor these connections in real time. Tokens are rarely short-lived or narrowly scoped by default, and organizations often do not restrict token usage by IP or device. Logs from SaaS integrations may also not be input into security monitoring.
Why traditional security is overlooking the token issue
As a result, traditional security tools are completely incapable of addressing this issue.
Single sign-on (SSO) and multi-factor authentication protect user logins, but OAuth tokens bypass these controls. Grant persistent trust between apps without additional validation.
The token acts on behalf of the user or service without requiring a password, so an attacker who obtains a valid token can access connected app data as if they were already authenticated. If OAuth tokens are used, there will be no pop-up to reconfirm MFA. As a result, without special oversight, OAuth and API tokens have become the Achilles heel of SaaS security. Other traditional solutions, such as cloud access security brokers, focus on user-to-app traffic and do not monitor connections between these apps.
This gap has led to the emergence of dynamic SaaS security platforms aimed at discovering and securing SaaS integrations amid SaaS sprawl. These platforms attempt to regain visibility and control by mapping all third-party apps, tokens, and permissions in use. Whether through automatic discovery (scanning connected applications) or enforcement of policies regarding OAuth usage, the goal is to close the SaaS security gap created by unchecked tokens.
At the end of the day, all organizations can apply better token hygiene, with or without new tools. You can’t protect what you can’t see. The first step is knowing where your tokens and SaaS integrations are. The next step is to control and monitor it so it doesn’t become a backdoor.
Token hygiene checklist
You can use the following checklist to reduce the risk of token compromise.
Practice Actions Y/N Maintain an inventory of OAuth apps Discover and track all third-party applications connected to your SaaS account. Maintain an up-to-date inventory of OAuth tokens, API keys, and integrations. This makes the token footprint visible. Enforce app approval Establish a vetting process for new SaaS integrations. Require security review or administrator approval before allowing employees OAuth access to their accounts. This suppresses unvetted apps and ensures that each token issued is required and carries known risks. Least Privilege Tokens Limit the scope and privileges of tokens to the minimum necessary. When approving apps, don’t allow too broad access (‘allow all’). For example, if your app only needs read access, don’t give it read/write administrator permissions. Least privilege reduces the impact if a token is stolen. Rotate tokens regularly Treat long-lived tokens like expired credentials. If possible, configure tokens to expire after a short period of time, or revoke and reissue tokens periodically. Regular rotation (or short lifespan) means that stolen tokens quickly become useless, narrowing the opportunity for attackers. Remove or alert for unused tokens Identify tokens and app connections that have been unused for weeks or months. Unused tokens are a potential threat, so revoke them if you don’t need them. Implement alerts or reporting for dormant tokens to proactively clean them up and prevent forgotten credentials from remaining around indefinitely. Monitor Token Activity Enable logging and monitoring of token usage across your SaaS platform. Watch for unusual token activity, such as integrations that are not commonly used suddenly making large data requests or being accessed from strange locations. Set up alerts for token usage anomalies, such as spikes in API calls or token usage from unfamiliar IPs. Integrate tokens into offboarding When an employee leaves your company or a third-party app is retired, ensure that tokens and access keys are immediately revoked. Make token revocation a standard step for user offboarding and app lifecycle management. This prevents old credentials from persisting after they are no longer needed.
Source link
