How 700 Enterprises Got Breached Through Apps Their Teams Forgot They Authorized
Photo by Zulfugar Karimov on Unsplash
- OAuth tokens — persistent login permissions granted to third-party apps — do not expire when employees leave, passwords change, or vendors are decommissioned, creating permanent backdoors unless manually revoked by an admin.
- Threat actor UNC6395 used stolen OAuth refresh tokens to breach over 700 organizations, including Cloudflare, Palo Alto Networks, and Proofpoint, across a ten-day window in August 2025 — bypassing MFA entirely.
- 97% of non-human identities (NHIs), including OAuth tokens and API keys, carry excessive privileges, according to the 2026 NHI Reality Report by the Cyber Strategy Institute.
- Only 15% of organizations report high confidence in preventing NHI-based attacks, while the average enterprise now manages over 250,000 such credentials with almost no active monitoring.
The Evidence
Seven hundred organizations. Ten days. One credential type that nearly every security team has quietly stopped watching.
According to reporting aggregated by Google News and detailed analysis from The Hacker News and AppOmni, a threat actor tracked as UNC6395 compromised Salesforce environments at more than 700 companies between August 9 and 17, 2025 — without cracking a single password or triggering a multi-factor authentication prompt. The entry point was OAuth refresh tokens (persistent credentials that let third-party apps access your accounts without requiring users to log in again), likely stolen through earlier phishing campaigns and then held until deployed at scale across a coordinated ten-day operation.
The confirmed victim list reads like a directory of enterprise security vendors: Cloudflare, Palo Alto Networks, Proofpoint, and Zscaler were all among the breached organizations. Three months later, in November 2025, a separate group tracked as ShinyHunters (UNC6040) executed a second-wave attack using a stolen Gainsight OAuth token sourced from previously compromised Salesloft and Drift customer support data — demonstrating how a single upstream compromise can cascade silently across an entire SaaS supply chain before any organization in the chain realizes what happened.
The structural flaw, as Obsidian Security's NHI Security Guide documents, is architectural: "A static, permanent API key or service account provides an attacker with a stable and often unnoticed backdoor. Orphaned NHIs retain active credentials but exist outside monitoring systems — they become invisible entry points that attackers specifically target." Unlike a stolen password, a stolen OAuth token bypasses MFA entirely, leaves no failed-login alert in your SIEM, and stays valid indefinitely. When an employee leaves, their Slack integration to Salesforce doesn't leave with them. When a team stops using a productivity software tool, the read/write permission it holds to your Google Workspace stays open.
What It Means for Your Team's Security Posture
Building on that structural reality, consider what it means at the scale most businesses now operate. Think of OAuth tokens as physical spare keys. Every time your team authorizes a new workflow automation tool, team collaboration add-on, or AI-powered app, you hand it a key that works independently of your login credentials — a key that remains functional even if you change every lock in the building.
The Cloud Security Alliance's 2026 State of NHI and AI Security report, covered in depth by CSO Online, found that the average enterprise manages over 250,000 NHIs (non-human identities — credentials used by apps and automated systems rather than people) across cloud environments, with machine-to-human identity ratios running 100:1 and in some environments as high as 500:1. For a company of 500 employees, that can mean 50,000 to 250,000 active app credentials operating in the background, most of them unmonitored, many of them connected to sensitive data systems.
Chart: The gap between organizations that recognize NHI risk (69%) and those with high confidence in preventing it (15%) represents the vulnerability window that campaigns like UNC6395 systematically exploit.
The confidence gap behind those bars is worth sitting with. The 2026 NHI Reality Report from the Cyber Strategy Institute found that 97% of NHIs carry excessive privileges — access far beyond what their actual function requires. That single figure, combined with the 15% prevention confidence rate and the 250,000-credential scale, is the threat model in three numbers. Security Boulevard and Proofpoint telemetry both documented that AI-related cyberattacks grew nearly 490% year-over-year through 2025–2026, with more than 80% of SaaS and AI security incidents exposing sensitive or regulated data. As the Smart AI Agents blog observed in its coverage of the architecture shift reshaping enterprise software, the rapid expansion of agentic AI tools is layering a new class of NHIs — autonomous agents with broad, semi-permanent permissions — on top of existing OAuth sprawl.
CISA (the U.S. Cybersecurity and Infrastructure Security Agency) has already responded at the federal level. Binding Operational Directive 25-01 mandates that all U.S. federal civilian agencies deploy SCuBA (Secure Cloud Business Applications) assessment tools and implement secure configuration baselines for Microsoft 365, with explicit targeting of misconfigured OAuth grants and third-party app permissions as leading risk vectors. The directive doesn't bind private companies, but it signals where regulators have concluded the industry's most underaddressed exposure lives. The broader market is responding: the NHI access management segment is projected to grow from USD 12.2 billion in 2026 to USD 38.8 billion by 2036, a 12.2% CAGR, per MarketsandMarkets estimates — a trajectory that reflects institutional recognition that OAuth sprawl has become a tier-one enterprise risk, not a configuration footnote.
Photo by Possessed Photography on Unsplash
The AI Angle
Every AI-powered productivity software tool or workflow automation platform your team connects to Google Workspace or Microsoft 365 creates another OAuth token in the background. Authorize an AI scheduling assistant to read your calendar, connect a business intelligence tool to your CRM, link a content generation app to your Google Drive — each integration leaves a persistent credential that doesn't expire when the trial ends, the subscription lapses, or the employee who set it up moves on.
Protego's NHI AI Agent Security analysis for 2026 documented that multi-stage attack campaigns like GTG-1002 now run 80 to 90% autonomously — exfiltrating data, creating new backdoor credentials, and modifying infrastructure with minimal human supervision on the attacker's side. The same team collaboration and AI automation tools that help lean teams move faster are simultaneously expanding the attack surface through credential proliferation. Two platforms that surfaced prominently in post-breach analysis of UNC6395 as reference architectures: AppOmni (SaaS security posture management with OAuth scope visibility) and Obsidian Security (identity threat detection for connected apps). The Hacker News, in its AppOmni-sourced coverage of the campaign, put it directly: "Trusting an app at the time of installation doesn't mean it stays trustworthy — OAuth grants need active, continuous monitoring rather than passive acceptance." That sentence is also the best saas tools procurement principle most small businesses have never been told.
How to Act on This — 3 Steps for Small Business and Remote Teams
For Google Workspace admins, navigate to admin.google.com → Security → API Controls → Manage Third-Party App Access. For Microsoft 365, check Azure Active Directory → Enterprise Applications → All Applications. Export the full list of connected apps and flag any with broad scopes like "read all files" or "send mail as user," particularly those your team hasn't actively used in the past 90 days — those are orphaned tokens. Platforms like BetterCloud and Nudge Security automate this process and alert on new OAuth grants in real time, which matters especially for remote teams where shadow IT (best saas tools and apps installed without central oversight) tends to accumulate quickly across departments.
Before any new workflow automation tool or team collaboration add-on gets connected to your core SaaS stack, require a quick review of the specific permissions it requests. If a note-taking productivity software tool asks for permission to delete files from Google Drive, that's a scope it doesn't need — and over-provisioned scopes become a liability if the vendor's own credentials are ever compromised upstream, as happened in the ShinyHunters and Gainsight cascade. Build a simple internal policy: every new third-party app integration must be reviewed by at least one person before authorization, and the permission scopes must be documented in a shared registry. This review takes ten minutes and removes a credential class that attackers specifically scan for.
OAuth tokens do not clean themselves up. Schedule a quarterly calendar event — similar in cadence to a password rotation cycle — where your IT lead or operations manager logs into each major platform (Google, Microsoft, Salesforce, Slack) and revokes access for any business tools or apps unused in the preceding 90 days. Critically: when an employee offboards, revoke their authorized third-party apps the same day you deactivate their account. Password resets and account suspension do not revoke OAuth grants — this is the exact gap UNC6395 exploited. For organizations relying on workflow automation to connect their stack, the human offboarding checklist and the machine-identity cleanup process must run in parallel, not sequentially.
Frequently Asked Questions
Does changing my password revoke the OAuth tokens connected to my Google or Microsoft account?
No — and this is the most consequential misconception the UNC6395 campaign exposed at scale. OAuth tokens operate independently of your login password. Changing credentials does not invalidate existing grants to third-party apps. The only way to revoke an OAuth token is to explicitly remove the connected app through your account's security settings or through an admin console. This is why the August 2025 campaign remained effective even after targeted organizations rotated their passwords in response to phishing alerts — the tokens the attackers held continued working regardless.
How do I find every third-party app connected to my Google Workspace or Microsoft 365 account right now?
For individual Google accounts, visit myaccount.google.com/permissions. Google Workspace admins have more granular controls via admin.google.com → Security → API Controls. For Microsoft 365 users, myapps.microsoft.com shows personal app connections; admins can use the Azure Active Directory portal under Enterprise Applications for org-wide visibility. Dedicated NHI management platforms — including AppOmni, Nudge Security, and BetterCloud — provide centralized dashboards aggregating OAuth grants across multiple SaaS tools simultaneously, which is particularly useful for remote teams managing 20 or more connected applications across different departments.
Is a small business at risk from OAuth token attacks if it's not using enterprise platforms like Salesforce?
Yes. UNC6395 targeted Salesforce specifically, but the underlying vulnerability exists across every major platform that supports third-party integrations: Google Workspace, Microsoft 365, Slack, HubSpot, Notion, and virtually every productivity software tool in common use by small teams. Small businesses often face proportionally higher risk because they typically lack dedicated IT oversight for SaaS sprawl. The 97% figure for NHIs carrying excessive privileges — from the Cyber Strategy Institute's 2026 NHI Reality Report — was not limited to enterprise environments. The scale differs; the structural vulnerability does not.
What exactly is a non-human identity (NHI) and why does it matter for team collaboration security?
An NHI (non-human identity) is any credential used by software rather than a person directly — OAuth tokens, API keys (codes that enable two apps to communicate), service accounts, and bot credentials all qualify. When your CRM syncs automatically with your email marketing tool, that connection runs on an NHI. When your workflow automation posts a Slack message after a form submission, that too runs on an NHI. The Cloud Security Alliance's 2026 research found that the average enterprise manages more than 250,000 of these, most without active monitoring. For small teams running 20 to 30 SaaS integrations, the count is smaller but the oversight gap is often proportionally larger because there's typically no dedicated function responsible for tracking them.
Are the best SaaS tools for NHI security realistically affordable for teams of under 50 people?
Dedicated NHI management platforms like AppOmni and Obsidian Security are primarily priced for mid-market and enterprise buyers. However, meaningful risk reduction is achievable at zero additional cost. Google Workspace and Microsoft 365 both offer OAuth auditing through existing admin consoles. The quarterly revocation cadence described above requires only admin access to platforms a team already pays for. Open-source SaaS audit scripts and browser-based OAuth review tools provide additional free visibility for technically inclined operators. As the NHI access management market scales toward USD 38.8 billion by 2036, lower-cost tooling designed specifically for SMBs will follow — but the audit and revocation discipline is available to any team today without a new budget line.
Disclaimer: This article is editorial commentary for informational purposes only and does not constitute legal or security advice. Tool features, pricing, and threat intelligence data may change. Always verify current details on official vendor and government agency websites.
Get NewsLens — All 19 Channels in One App
AI-powered news with action steps. Install free, works offline.
