In mid-August, a threat group accessed Salesloft’s GitHub and AWS environments beginning in March, enabling a campaign that stole OAuth tokens used by Drift customers. Nearly 700 companies, including over 20 cybersecurity vendors, were affected in what Google researchers called a widespread data theft effort. Despite being targeted by the same adversary and timeline, Okta and Zscaler responded differently: Okta’s preconfigured IP restrictions successfully blocked attacks, whereas Zscaler faced data breaches affecting customer information due to an active OAuth token remaining in use even after Drift was discontinued.
The attack underscores significant risks posed by the current token storage and authentication mechanisms, which lack safeguards like Demonstrating Proof of Possession (DPoP) to prevent token reuse. Companies find implementing IP restrictions challenging due to manual processes requiring cooperation across vendors. This incident reveals that APIs are increasingly critical attack vectors needing improved monitoring, token management, and preventive controls to mitigate behavioral anomalies. Both security teams stress collective vendor accountability and collaboration to raise security standards and avoid future breaches.
Zscaler’s experience highlights the danger of delayed token revocation, while Okta’s success illustrates the value of proactive defensive measures. The event serves as a wake-up call for the SaaS industry to prioritize robust security enhancements in API handling to protect sensitive customer data across interconnected platforms. Industry leaders emphasize learning lessons rather than assigning blame in pursuing better cybersecurity practices.
👉 Pročitaj original: CyberScoop
