Token theft is a leading cause of SaaS breaches. Discover why OAuth and API tokens are often overlooked and how security teams can strengthen token hygiene to prevent attacks.
Most companies in 2025 rely on a whole range of software-as-a-service (SaaS) applications to run their operations. However, the security of these applications depends on small pieces of data called tokens. Tokens, like OAuth access tokens, API keys, and session tokens, work like keys to these applications. If a cybercriminal gets hold of one, they can access relevant systems without much trouble.
Recent security breaches have shown that just one stolen token can bypass multi-factor authentication (MFA) and other security measures. Instead of exploiting vulnerabilities directly, attackers are leveraging token theft. It’s a security concern that ties into the broader issue of SaaS sprawl and the difficulty of monitoring countless third-party integrations.
Recent Breaches Involving Token Theft
A lot of real-world events show us how stolen tokens can cause security breaches in SaaS environments:
1. Slack (Jan 2023). Attackers stole a number of Slack employee tokens and used them to gain unauthorized access to Slack’s private GitHub code repositories. (No customer data was exposed, but it was a clear warning that stolen tokens can undermine internal security barriers.)
2. CircleCI (Jan 2023). Information-stealing malware on an engineer’s laptop allowed threat actors to hijack session tokens for CircleCI’s systems. Those tokens gave the attackers the same access as the user, even with MFA in place, enabling them to steal customer secrets from the CI platform.
3. Cloudflare/Okta (Nov 2023). In the fallout of an identity provider breach, Cloudflare rotated about 5,000 credentials. However, one unrotated API token and some service account credentials were enough for cybercriminals to compromise Cloudflare’s Atlassian environment. This incident showed how a single forgotten token can undermine an otherwise thorough incident response.
4. Salesloft/Drift (Aug 2025). The Drift chatbot (owned by Salesloft) suffered a supply-chain breach that allowed attackers to harvest OAuth tokens for integrations like Salesforce and Google Workspace. Using those stolen tokens, they accessed hundreds of customer organizations’ SaaS data. This OAuth token abuse allowed the attackers to move laterally into emails, files, and support records across platforms.
SaaS Sprawl Fuels Token Blind Spots
Why do these token-based breaches keep happening?
The issue is bigger than any single app, it’s an ecosystem problem fueled by sprawling SaaS usage and hidden token trust relationships between apps.
Today, every department is leveraging SaaS tools and integrating them across systems. Employees use multiple third-party cloud services, and enterprises manage roughly 490 cloud apps, many of which are unsanctioned or not properly secured.
This high usage of SaaS (often called SaaS sprawl) means an explosion of OAuth tokens, API keys, and app connections. Each integration introduces a non-human identity (essentially a credential) that usually isn’t visible to IT or tracked by traditional identity management solutions.
The overall result of this is an ungoverned attack surface. A few factors generally contribute to this blind spot:
• Lack of visibility. Many organizations don’t actually know about all the SaaS apps and integrations their employees have enabled, or who authorized them. Shadow IT (employees adding apps without approval) flourishes, and security teams may only discover an OAuth connection after it has created a problem.
• No approval or oversight. Without a vetting process, users can freely connect apps like marketing plugins or productivity tools to corporate SaaS accounts. These third-party apps often ask for broad permissions and get them, even if they’re only needed temporarily. Unvetted and over-privileged apps can sit connected indefinitely if nobody reviews them.
• No regular monitoring. Very few companies enforce security settings on OAuth integrations or watch these connections in real time. Tokens rarely have short lifetimes or strict scope by default, and organizations often don’t limit their usage by IP or device. Logs from SaaS integrations might also not be fed into security monitoring.
Why Legacy Security Misses the Token Problem
As such, traditional security tools haven’t fully caught up to this problem at all.
Single sign-on (SSO) and multi-factor authentication protect user logins, but OAuth tokens bypass these controls. They grant persistent trust between apps with no further verification.
A token acts on behalf of a user or service without needing a password, so an attacker who obtains a valid token can access the connected app’s data as if they were already authenticated. There’s no pop-up to re-check MFA when an OAuth token is used. As a result, without special oversight, OAuth and API tokens have become an Achilles’ heel in SaaS security. Other legacy solutions, like cloud access security brokers, focus on user-to-app traffic and don’t monitor these app-to-app connections.
This gap has led to the arrival of dynamic SaaS security platforms that aim to discover and secure SaaS integrations amid SaaS sprawl. These platforms attempt to map out all the third-party apps, tokens, and privileges in use, giving back visibility and control. Whether through automated discovery (scanning for connected apps) or enforcing policies on OAuth usage, the goal is to close the SaaS security gap created by unchecked tokens.
At the end of the day, every organization, with or without new tools, can apply better token hygiene practices. You can’t protect what you can’t see. The first step is knowing where your tokens and SaaS integrations are. The next is controlling and monitoring them so they don’t become backdoors.
Token Hygiene Checklist
The following checklist can be used to reduce risk from token compromise:
| Practice | Action | Y/N |
|---|---|---|
| Maintain OAuth App Inventory | Discover and track all third-party applications connected to your SaaS accounts. Keep an updated inventory of OAuth tokens, API keys, and integrations. This provides visibility into your token footprint. | |
| Enforce App Approval | Establish a vetting process for new SaaS integrations. Require security review or admin approval before employees grant OAuth access to their accounts. This curbs unvetted apps and ensures each token issued is necessary and comes with known risks. | |
| Least-Privilege Tokens | Limit the scope and permissions of tokens to the minimum required. Avoid granting overly broad access (“allow all”) when authorizing an app. For example, if an app only needs read access, don’t give it read-write admin privileges. Least privilege reduces the impact if a token is stolen. | |
| Rotate Tokens Regularly | Treat long-lived tokens like expiring credentials. Configure tokens to expire after a short period, if possible, or periodically revoke and reissue them. Regular rotation (or short lifespans) means a stolen token will quickly become useless, narrowing an attacker’s window of opportunity. | |
| Remove or Alert on Unused Tokens | Identify tokens and app connections that haven’t been used in weeks or months. Unused tokens are latent threats – revoke them if they’re not needed. Implement alerts or reports for dormant tokens so that they can be cleaned up proactively, preventing forgotten credentials from lingering indefinitely. | |
| Monitor Token Activity | Enable logging and monitoring for token use across your SaaS platforms. Watch for unusual token activity, such as a normally unused integration suddenly making large data requests or access from odd locations. Set up alerts for anomalies in token usage (e.g. a spike in API calls, or use of a token from an unfamiliar IP). | |
| Integrate Tokens into Offboarding | When employees leave or when a third-party app is retired, ensure their tokens and access keys are promptly revoked. Make token revocation a standard step in user offboarding and app lifecycle management. This prevents old credentials from persisting after they’re no longer needed. |
About The Author
Original post here
