OAuth token theft through Salesloft and Drift exposed more than a billion customer records across major organizations including Google, Workday, TransUnion, and Allianz Life. Attackers never needed Salesforce credentials or user sessions. They simply replayed long-lived refresh tokens harvested from two upstream integration providers.

The compromise began with access to employee systems at Salesloft and Drift. Once inside, the attackers located persistent OAuth 2.0 refresh tokens stored as ordinary files or database entries. These tokens granted direct query access to connected Salesforce tenants. Because the tokens required no live authentication at the point of use, no Salesforce login events were generated and conventional monitoring produced no alerts.

How Reusable Integration Tokens Created the Supply-Chain Exposure

The decisive failure was architectural rather than a flaw in Salesforce login controls. Salesloft and Drift maintained extractable, long-lived secrets to synchronize data on behalf of their customers. When those secrets resided on standard employee workstations and administrative systems, any compromise of those environments immediately handed attackers portable access to every downstream tenant. Phishing and infostealer malware were sufficient to obtain the initial foothold; once the tokens were copied, the attackers could operate from entirely separate infrastructure.

This pattern repeats whenever authentication depends on portable credentials stored outside the originating identity provider. The tokens functioned as reusable keys that survived the original user session and bypassed every control tied to live login events.

Device-Bound Credentials Eliminate Extractable Secrets

MFA 2.0 replaces phishable factors with private keys generated and stored inside the endpoint’s secure element. The private key never leaves the device during registration; only the matching public key is sent to the identity provider. Each authentication produces a fresh cryptographic signature that cannot be screenshotted, replayed, or used from another machine.

In this incident, attackers would have required physical possession of the enrolled device plus the user’s biometric or PIN. Remote harvesting of files or tokens would have yielded nothing usable. MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography. It uses device-bound credentials with no central credential database and performs same-device authentication without requiring a second device. It is prevention-focused: the attack cannot occur because no extractable credentials exist to compromise. MFA 2.0 applies this model across the entire identity lifecycle, including registration, device onboarding, authorization, authentication, and decommissioning. It is not continuous authentication, behavioral monitoring, anomaly detection, session analysis, or risk-based authentication.

Extending Cryptographic Controls to Token Issuance

FIDO2 and passkeys address only the login step. They leave registration, device onboarding, and token issuance unchanged. MFA 2.0 extends public-key cryptography to token issuance itself, ensuring no extractable secret is ever created or stored on the integrating application. OAuth refresh tokens are replaced by short-lived, signed assertions that cannot be replayed without the originating device key.

Once plaintext tokens reside on compromised endpoints, detection tools can only observe the resulting data movement. The architectural change required is the elimination of reusable, portable credentials at the point of issuance. Keys are revoked at the identity provider the moment offboarding occurs, removing any risk of later abuse. Modern endpoints already contain the secure elements used by Apple Pay and Google Pay, so the approach requires no additional hardware.

Salesforce passkeys alone would not have prevented the data extraction, because the tokens were harvested upstream before any Salesforce session was initiated. The decisive control is the removal of extractable secrets from the integration layer entirely.