Part 2: the “Approve” button got promoted to assembly line supervisor. 🎅🔑
Here’s the ugly scaling lesson from 2025: attackers don’t need 0-days when they can industrialize OAuth consent + token replay. The Salesloft/Drift incident showed how stolen OAuth tokens were used to access and exfil data from Salesforce customer tenants (and even a small number of Workspace accounts).
Meanwhile, real businesses ate real downtime—M&S pegged the operating impact in the hundreds of millions range. That’s “board asks for a timeline… hourly” money.
If you want to stop the factory:
Treat Connected Apps like a supply chain (inventory, verified publisher, least-priv scopes, IP restrictions).
Track token revoke/rotate MTTR like you track P1 outages.
Run edge like it’s KEV-paced: isolate/patch fast (or enjoy the factory reset weekend).
Question: How many apps in your tenant can export “everything” today—and would you notice in 15 minutes or 15 days?
Read / subscribe:
https://blog.alphahunt.io/zero-days-are-a-distraction-2025s-biggest-losses-were-stolen-tokens-oauth
#AlphaHunt #IdentitySecurity #OAuth #SaaSSecurity #IncidentResponse