All news with #oauth app abuse tag

🔐 Token theft is now a primary vector for SaaS breaches, with stolen OAuth, API keys, and session tokens enabling attackers to bypass MFA and access integrated services. High-profile incidents from 2023 to 2025 show how a single unrotated token can compromise code, secrets, or customer data across platforms. Teams should prioritize discovery, continuous monitoring, and strict token hygiene—rotation, least-privilege scopes, approval workflows, and prompt revocation.

🛡️ Modern cloud work lives across email, files, chat, and a mesh of integrations, and attackers increasingly exploit trusted OAuth grants rather than compromising accounts directly. In early August the actor behind recent Salesforce intrusions used stolen Drift email tokens to access a small set of Google Workspace mailboxes; Google revoked the tokens and disabled the integration on August 9. Material Security advocates shifting from perimeter-only defenses to content-centric controls such as message-level MFA, OAuth governance, and automated containment to make stolen tokens far less damaging.

🔓 The Trinity of Chaos collective has opened a data leak site on the TOR network, publishing previously undisclosed records tied to past breaches and listing 39 major global firms. Resecurity says the group claims more than 1.5 billion records across 760 companies and has set an October 10 negotiation deadline. Samples reportedly contain substantial PII and appear to stem from compromised SaaS environments via stolen OAuth tokens and vishing; the FBI has issued a flash alert. The group also threatened to leverage existing litigation and regulatory complaints against Salesforce, which has denied new vulnerabilities.

🔓 The Scattered Lapsus$ Hunters gang opened a public data-leak site claiming it stole Salesforce data from dozens of global companies, including Salesforce, Toyota, FedEx, Disney/Hulu, Marriott and Google. The group set an Oct. 10 deadline for ransom payments and threatened to publish or even use stolen documents in legal actions if demands are not met. Salesforce says its investigation found no indication the platform itself was compromised and attributes the incidents to past or unsubstantiated claims. Researchers link many breaches to vishing that installs malicious connected apps and to compromised OAuth tokens in Salesloft Drift, underscoring a broader SaaS supply-chain risk.

🔒 Google Threat Intelligence Group (GTIG) tracks UNC6040, a financially motivated cluster that uses telephone-based social engineering to compromise SaaS environments, primarily targeting Salesforce. Operators trick users into authorizing malicious connected apps—often a fake Data Loader—to extract large datasets. The guidance prioritizes identity hardening, strict OAuth and API governance, device trust, and targeted logging and SIEM detections to identify rapid exfiltration and cross‑SaaS pivots.

📩 Attackers abused GitHub's notification system to send fake Y Combinator W2026 invitations by creating issues and tagging users so the platform would deliver legitimate-looking emails. The lure promised participation in a purported $15 million funding program and linked to a typo-squatted domain. That site ran obfuscated JavaScript and presented an EIP-712-style wallet verification prompt that, when signed, authorized draining transactions.

🔒 The ShinyHunters extortion group claims they stole approximately 1.5 billion Salesforce records from 760 companies by abusing compromised Salesloft Drift and Drift Email OAuth tokens exposed in a Salesloft GitHub breach. The attackers reportedly accessed Account, Contact, Case, Opportunity, and User tables and searched exfiltrated data for secrets to pivot further. Google/Mandiant and the FBI are tracking the activity as UNC6040/UNC6395, and Salesforce urges customers to enable MFA, enforce least privilege, and manage connected apps carefully.

🔒 On September 29 at 12:00 PM ET, BleepingComputer and SC Media will host a live webinar featuring browser security experts from Push Security to examine how modern web browsers have become a primary enterprise attack surface. The session will cover malicious and shadow extensions, session token theft, OAuth abuse, and emerging ClickFix and FileFix techniques, plus mitigation strategies. Attendees will learn practical detection and response approaches to protect SaaS sessions, restore visibility at the web edge, and close gaps missed by traditional endpoint and identity controls.

🔒 Browser-targeted attacks are rising as adversaries treat the browser as the primary access point to cloud services and corporate data. The article defines browser-based attacks and enumerates six high-risk techniques: credential and session phishing, ClickFix-style copy-and-paste exploits, malicious OAuth consent flows, rogue extensions, malicious file delivery, and credential reuse where MFA gaps exist. These vectors are effective because modern work happens in decentralized SaaS environments and across many delivery channels, making traditional email- and network-centric defenses less reliable. The piece highlights visibility gaps for security teams and points to vendor platforms such as Push Security that claim to provide in-browser detection and remediation for AiTM phishing, OAuth abuse, and session hijacking.

🔔 The FBI issued a FLASH advisory linking two threat clusters, UNC6040 and UNC6395, to intrusions of corporate Salesforce environments that resulted in data theft and extortion. Early campaigns relied on social engineering and malicious Data Loader OAuth apps to mass-exfiltrate Accounts and Contacts, while later activity used stolen Salesloft/Drift OAuth and refresh tokens to access support cases and harvest secrets. Multiple large enterprises were impacted and the FBI released IOCs to help organizations detect and mitigate compromise.

⚠️ The FBI released IoCs linking two threat clusters, UNC6040 and UNC6395, to a series of data theft and extortion attacks that targeted organizations' Salesforce environments. UNC6395 exploited compromised OAuth tokens tied to the Salesloft Drift app after a March–June 2025 GitHub breach, prompting Salesloft to isolate Drift and take its AI chatbot offline. UNC6040, active since October 2024, used vishing, a modified Data Loader and custom Python scripts to hijack instances and exfiltrate bulk data, while extortion activity has been associated with actors using the ShinyHunters brand.

🔐 This Unit 42 report describes how compromised OAuth tokens in third‑party integrations create severe supply‑chain exposure, using recent incidents as examples. It highlights three recurring weaknesses: dormant integrations, insecure token storage and long‑lived credentials, and explains how attackers exploit these to exfiltrate data and pivot. The authors recommend token posture management, encrypted secret storage and centralized runtime monitoring to detect and revoke abused tokens quickly.

🔒 Researchers disclosed two coordinated campaigns that distribute fake browser extensions via malvertising and counterfeit sites to steal credentials, session tokens, and hijack Meta business accounts. Bitdefender documented ads pushing a fake "Meta Verified" add‑on named SocialMetrics Pro that harvests Facebook session cookies and exfiltrates them to a Telegram bot while also querying ipinfo[.]io for IP data. Cybereason described a separate campaign using counterfeit sites promoting a bogus Madgicx Plus platform and multiple rogue Chrome extensions that request broad site access, capture Google identity data, then pivot to Facebook to facilitate account takeover.

🔒 Salesloft confirmed that a threat actor gained access to its GitHub account between March and June 2025, using that access to download repositories, add a guest user and create workflows. The attacker then moved into the Drift app environment, obtained OAuth tokens and used Drift integrations to access customers’ Salesforce instances and exfiltrate secrets. Affected customers include security vendors such as Tenable, Qualys, Palo Alto Networks, Cloudflare and Zscaler. Google Mandiant performed containment, rotated credentials and validated segmentation; the incident is now in forensic review.

🔐 Tenable and Qualys reported limited unauthorized access to parts of their Salesforce records after attackers stole OAuth tokens from the Salesloft Drift integration. The incidents exposed support-case subject lines, initial descriptions and basic business contact details, but neither vendor's products or core services were affected. Both firms disabled the Salesloft Drift app, revoked or rotated credentials, and said they are working with Salesforce and investigators to contain the impact.

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

🔒 This article outlines six browser-based attack techniques—phishing with reverse-proxy AitM kits, ClickFix/FileFix command-injection lures, malicious OAuth grants, rogue extensions, weaponized file downloads, and credential attacks exploiting MFA gaps—that security teams must prioritize in 2025. It explains why the browser has become the primary attack surface as users access hundreds of cloud apps, and why traditional email/network controls and endpoint defenses often miss these threats. The piece argues that effective detection requires real-time browser-level visibility and management across managed and unmanaged apps, highlighting Push Security as a vendor offering such capabilities.

🔒 Cloudflare and Palo Alto Networks disclosed that threat actors accessed their Salesforce tenants via the third‑party Salesloft Drift app after compromising OAuth tokens. Cloudflare reported reconnaissance on 9 August 2025 and said data was exfiltrated from Salesforce case objects between 12–17 August 2025. The exposed fields principally contained support case text and business contact information; Cloudflare identified 104 API tokens and has rotated them, urging customers to rotate any credentials shared in cases. Google’s Threat Intelligence Group links the activity to UNC6395 and warns harvested data may be used for targeted follow‑on attacks.

🔒 Salesloft said it will temporarily take its Drift chatbot service offline after a supply-chain compromise led to the mass theft of OAuth and refresh tokens tied to the Drift AI chat agent. The outage is intended to allow a comprehensive security review and build additional resiliency; Drift chatbot functionality and access will be unavailable during the process. Salesloft is working with cybersecurity partners Mandiant and Coalition while investigators, including Google Threat Intelligence Group, attribute the campaign to UNC6395 and report that more than 700 organizations may be affected.

🔒 Cloudflare disclosed attackers accessed a Salesforce instance used for internal customer case management in a broader Salesloft Drift supply‑chain breach, exposing 104 Cloudflare API tokens and the text contents of support case objects. Cloudflare was notified on August 23, rotated all exfiltrated platform-issued tokens, and began notifying impacted customers on September 2. The company said only text fields were stolen — subject lines, case bodies and contact details — but warned customers that any credentials shared via support tickets should be considered compromised and rotated immediately.