Every time employees connect AI tools, automation platforms, or productivity apps to services like Google or Microsoft, they leave behind something many organizations fail to track, long-lasting OAuth tokens.
These tokens often have no expiration, no automatic cleanup, and in many cases, no monitoring at all. Once issued, they can continue to provide access even after passwords are changed or employees leave the company.
Why OAuth Is a Growing Problem
OAuth was originally designed for limited, controlled integrations. But today, employees freely connect dozens of apps to corporate environments, especially with the rise of AI tools.
Each connection creates a persistent access token. These tokens:
- Don’t expire automatically
- Aren’t visible to most security tools
- Can bypass protections like multi-factor authentication
The issue isn’t a system flaw. It’s how OAuth was built. The real problem is that many security programs haven’t adapted to manage this at scale.
Security Teams Know, But Few Act
Recent research from Material Security shows a clear gap:
- 80% of security leaders see unmanaged OAuth access as a serious risk
- 45% of organizations don’t monitor these connections at all
- 33% rely on manual tracking like spreadsheets
Manual tracking offers little real protection. It often leaves organizations unaware of how much access third-party apps actually have.
Real-World Attack: The Drift Incident
The risk is no longer theoretical. A recent attack involving Drift, a sales platform later acquired by Salesloft, shows how dangerous OAuth tokens can be.
A threat group identified by Palo Alto Networks Unit 42 as UNC6395 obtained valid OAuth refresh tokens. These tokens allowed attackers to access Salesforce environments across hundreds of organizations.
More than 700 companies were affected, including major names like Cloudflare and PagerDuty.
The key detail:
- The app was legitimate
- The access was authorized
- No passwords were needed
Attackers simply reused valid tokens, completely bypassing login protections like MFA.
How Attackers Use OAuth Access
Once inside, attackers can:
- Export sensitive data
- Search for credentials like API keys and passwords
- Move across connected systems without triggering alerts
Because the activity appears as normal app behavior, traditional security tools often fail to detect it.
Why Current Defenses Fall Short
Most OAuth security tools focus on the moment an app is connected. They check permissions and vendor reputation.
But that’s not enough.
In real attacks, the danger often appears later, after:
- Credentials are stolen
- Apps are compromised
- Behavior changes unexpectedly
A one-time check cannot catch these evolving threats.
What Effective Protection Looks Like
To properly manage OAuth risks, organizations need:
- Continuous monitoring
Track what connected apps are actually doing over time, not just what they were allowed to do - Risk-based access evaluation
An app connected to a high-privilege account carries far greater risk - Smart response actions
High-risk connections should be revoked immediately, while lower-risk cases can be reviewed
A New Approach to OAuth Security
Solutions like Material Security’s OAuth Threat Remediation Agent aim to address this gap by combining:
- Permission and vendor analysis
- Real-time behavior monitoring
- Access impact assessment
This allows security teams to detect suspicious activity and act quickly before damage is done.
Final Takeaway
OAuth is now a core part of how modern apps connect to enterprise systems, especially as AI adoption grows. Limiting its use isn’t realistic.
Instead, organizations need better visibility, continuous monitoring, and faster response capabilities.
Without that, OAuth tokens can quietly become one of the easiest ways for attackers to gain and maintain access.