Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain

A Day in the Life of a Security Defender

You are about to log off for the weekend when a high-severity alert flashes on your cloud security tool’s dashboard. A single, unfamiliar OAuth token is making hundreds of connections from three different IP addresses, two of which are flagged as belonging to an unknown VPN service.

The token belongs to a third-party application integrated with the company's Salesforce instance, one of those forgotten dormant integrations. A threat actor has stolen an OAuth token to bypass traditional defenses and is enumerating CRM accounts and exfiltrating sensitive data.

A pit forms in your stomach; you are experiencing a supply chain attack.

The incident is not just an internal issue. This supply chain threat involves a lack of monitoring by the third-party integration that exposed the third-party company and potentially its customers to a devastating, wide-reaching breach.

This underscores a critical threat landscape of inconsistently managed integrations and tokens. Downstream clients of a third-party application may easily overlook dormant integrations, insecure token storage and long-lived tokens.

In this situation, you immediately trigger the established security playbooks to revoke the token and rotate the associated credentials. But since the compromise targeted the third party application, you never really had full control over all the elements that led to the attack that kept you from logging out this evening. This scenario is a stark reminder of the significance of the third-party supply chain.

Identity as a Critical Asset

The widespread adoption of cloud-native, API driven architecture has made OAuth tokens a high-value target for threat actors. These tokens are the cornerstone of secure integration with third parties. In a cloud-centric world, nearly every service is integrated, often with third-party applications. As demonstrated by recent high-profile breaches such as Salesloft’s Drift, a single compromised token can have devastating consequences.

We believe the path forward is not just about better perimeter defenses, but in treating every identity token as a critical asset that must be protected, monitored and frequently rotated. This includes not only API tokens, but also open authorization (OAuth) access tokens and their associated refresh tokens. By embracing a zero-trust approach to dynamic token management for our applications, cloud providers and identity providers, we can build a more resilient and protected digital ecosystem to protect against sophisticated threats.

The Problem: Compromised OAuth Tokens

The 2025 Salesloft Drift incident serves as a critical case study in modern software as a service (SaaS) supply-chain risk. A threat actor, UNC6395, stole an OAuth token from the Salesloft Drift integration, which bypassed traditional defenses like MFA. This single, compromised credential provided legitimate, persistent access to hundreds of customer Salesforce instances. From there, the threat actors exfiltrated sensitive data, including embedded credentials, which enabled them to pivot and access other critical systems.

Our recent 2025 Unit 42 Global Incident Response Report named issues with the software supply chain as one of the threat landscape’s emerging trends. The report shared observations of identity and access management issues and highlighted how threat actors frequently use valid cloud accounts for initial access, privilege escalation and persistence.

The problem is hardly new.

When Trust is Broken: A Brief History of Token Misuse

Tokens are the invisible currency of trust in modern cloud environments. They let applications talk to each other, enable automation and keep workflows seamless. But when that trust isn’t managed carefully, tokens become one of the most dangerous tools in a threat actor’s toolbox. Over the last few years, we’ve seen three recurring patterns that show exactly why.

1. Dormant Integrations – Trust That Outlives Its Purpose

Think of an unused integration like an old key you left under the doormat. You may have forgotten it’s there, but threat actors can still use it. In 2022, GitHub disclosed that threat actors had compromised OAuth tokens issued to Heroku and Travis CI integrations. Many organizations weren’t actively using those integrations anymore, but the OAuth authorizations still lingered in their environments. By exploiting that forgotten trust, threat actors were able to access private GitHub repositories, download source code and potentially harvest secrets hidden inside.

Why It Matters

Every integration you keep alive, even if unused, extends your attack surface. A dormant integration doesn’t mean a harmless integration.

2. Insecure Token Storage – Keys Left in the Open

Tokens are only as strong as the places they’re kept. In 2023, CircleCI reported a breach where threat actors gained access to internal systems and exfiltrated customer OAuth tokens, environment variables and SSH keys. Many of these secrets were stored unencrypted in build environments, making them low-hanging fruit once the threat actors were inside.

The impact was serious. CircleCI had to inform every customer to rotate all tokens and secrets immediately, acknowledging that no stored credential could be considered safe. For many organizations, this meant postponing business IT priorities to focus on resetting keys across GitHub, AWS and other platforms before threat actors could exploit them.

Why It Matters

Storing tokens without encryption or adequate isolation is like leaving the keys to every room on the front desk of a hotel. Once a bad actor is inside, they don’t need to break into individual rooms because a key to every room is there, out in the open, for the taking.

3. No Expiration or Rotation – Keys That Never Expire

Even if a token is well protected, leaving it valid indefinitely creates a problem waiting to happen. The 2024 Internet Archive breach illustrated this risk. Threat actors exploited GitLab tokens that had remained valid for 22 months. With no rotation or expiration, threat actors had nearly two years of undisturbed access, ultimately exfiltrating 7 TB of data.

Why It Matters

Tokens must have a lifecycle. Without rotation and expiration, threat actors can turn one compromise into a prolonged, large-scale breach.

OAuth Best Practices: Recommendations for Organizations

Managing OAuth tokens and third-party integrations isn’t just technical housekeeping. It’s a core part of protecting your business. Tokens represent trust. If they’re stolen, misused or left unmanaged, threat actors can impersonate your identities and systems with potentially costly financial and reputational impact. To reduce this risk, organizations should adopt three pillars of token security: posture management, secure storage and active monitoring.

1. Token Posture Management – Know What You Have and Control It

The first step is visibility. Organizations must track how many OAuth tokens, API keys and service account credentials they have in circulation. Without an inventory, there’s no way to know what’s still in use or what’s potentially exposing you to compromise. Additionally, the longer a token remains valid, the more dangerous it becomes if compromised. By controlling token lifetimes, organizations reduce the window of opportunity for threat actors.

• Maintain an inventory: Build and maintain a clear, up-to-date catalog of all OAuth tokens and service credentials.
• Remove dormant integrations: Conduct regular audits of third-party apps and revoke tokens for those no longer in use. Dormant integrations are forgotten backdoors.
• Shorten token lifespans: Configure access tokens to expire quickly and limit refresh tokens wherever possible.
• Rotate and expire regularly: Enforce policies requiring tokens to expire and be rotated on a schedule, just like passwords.
• Build expiration into design: Treat token renewal as a deliberate, auditable action.

2. Secure Token Storage – Protect the Keys Themselves

Tokens should be treated like encryption keys. They should never be left in plaintext and never be stored within source code or readable in logs. Vendors and internal teams must be able to demonstrate secure storage practices. If not, compromise is only a matter of time.

• Enforce secure storage: Implement a secure secret management solution and strong token governance inside your organization. Require that all third-party vendors use proper secret management solutions and encryption for stored tokens.
• Audit vendor and internal practices: Build secure token storage requirements into internal IT policy, vendor risk assessments and supply-chain security reviews.

3. Runtime Monitoring and Detection – Watch for Abuse and Act Fast

Even with good hygiene, breaches still happen. Monitoring and rapid response are required. Being able to determine when a token has been compromised is essential. If a token is stolen, every minute during the response process counts to contain impact.

• Centralize logging: Capture OAuth and API authentication events from all providers and integrations in one place.
• Use IAM security tools: Implement platforms with built-in anomaly detection for token-based access.
• Detect and revoke quickly: Monitor for unusual activity such as mass data exports or unexpected geographic access and have playbooks ready to immediately revoke and rotate compromised tokens.
• Practice breach drills: Ensure security teams know how to execute revocations across multiple systems under time pressure.

The Way Forward

As the introduction story illustrates, a single compromised OAuth token can be a dangerous vulnerability.

The breaches we've examined, from dormant OAuth apps at Microsoft to insecure token storage at CircleCI and long-lived credentials at the Internet Archive, all point to a shared problem: Token and integration management can be an industry weak spot.

To reduce these risks, every organization must raise its baseline:

• Secure tokens like credentials
• Demand higher standards from vendors
• Enforce integration hygiene
• Improve monitoring
• Treat token compromises as if they were a supply chain threat

In recognition of these widespread risks, Palo Alto Networks is aggressively strengthening our own token posture management and hygiene to secure the lifecycle of these critical credentials.

Effective guidance exists in current industry frameworks for some of these risks. There remains a real need to enforce and build on existing frameworks. Additionally, organizations can take a leading role in creating internal security operational materials, such as manual and automated playbooks and enforcing policy guidance around third-party OAuth governance and integration hygiene.

References

• Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances – Unit 42, Palo Alto Networks
• Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators – The GitHub Blog
• CircleCI incident report for January 4, 2023 security incident – CircleCI
• The Internet Archive Breach – Nonhuman Identity Management Group
• Cybersecurity Framework – NIST
• NIST SP 800-53 Rev. 5.1.1 – Computer Security Resource Center, NIST
• SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General – Computer Security Resource Center, NIST
• SP 800-92 Rev. 1, Cybersecurity Log Management Planning Guide – Computer Security Resource Center, NIST
• SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations – Computer Security Resource Center, NIST