One token. One export. One very expensive lesson.
Last month made OAuth token abuse feel personal. A single connected app turned API access into a quiet data pipeline from CRM and email. If a partner can call your APIs with their token, their posture becomes yours. This post gives you a 30-day plan to shrink that blast radius and prove progress with KPIs.
The Month That Was
Aug 8 to 18, 2025
Attackers used stolen Salesloft Drift OAuth tokens to export Salesforce data via API. Some organizations also saw access to Google Workspace accounts that were linked to the Drift integration. Salesforce blocked Drift on Aug 28, 2025. A separate disclosure confirmed customer case data taken from a Salesforce instance tied to the campaign.
Aug 26 to 27, 2025
NetScaler CVE-2025-7775 was confirmed as actively exploited. This is a pre-auth gateway issue that can lead to unauthenticated, remote code execution on vulnerable devices.
Aug 26, 2025
Docker Desktop CVE-2025-9074 allowed containers to reach an unauthenticated Engine API such as 192.168.65.7:2375, then pivot to the host. This allowed any container could talk to the host without authentication, enabling mounting drives and messing with system files with only a couple of HTTP requests. On Windows, this translated into full read-write access to the C: drive and a clear path to administrator rights.
How This Affects the Business
Every one of these incidents touches revenue, compliance, brand, and engineering time.
Revenue and continuity: A gateway outage or a token-abusing app interrupts orders and breaks SLAs. Minutes of downtime become visible losses.
Compliance and legal: Unauthorized exports can trigger reporting, audits, and fines, especially when CRM or email systems are involved.
Trust and brand: Customers expect careful management of third-party access. Confidence fades when connected-app scopes are too broad.
Innovation cost: Incidents pull senior engineers away from product work into hotfixes and forensics. Progress slows while costs rise.
See the true cost of an API breach here.
A 30-Day, ROI-First Plan with Clear Handoffs
Each block below builds on the last so that teams move in a straight line from containment to visible gains.
Days 1 to 7: Reduce the OAuth Token Blast Radius
- Revoke and rotate tokens and refresh tokens for third party integrations.
- Re-scope to least privilege and set short token TTLs. Remove "read all" and "export all" scopes unless there is a documented need.
- Audit connected apps across CRM, email, support, and data platforms. Flag dormant apps, over-scoped permissions, and unmanaged service accounts.
- Detect bulk export patterns such as SOQL and GraphQL. Add IP allow-lists, time-of-day rules, and per-scope rate limits.
Transition to Week 2: With token reach reduced and noisy apps contained, shore up the entry points attackers target next.
Days 8 to 14: Patch the Seams at the Edge and on Developer Endpoints
- Harden the API edge. Patch NetScaler CVE-2025-7775, then verify virtual-server configuration, TLS, and full request and response logging.
- Isolate developer endpoints. Update Docker Desktop to 4.44.3 or later, then test that containers cannot reach the Engine API. Enforce disk encryption, screen lock, and minimal local admin.
- Turn on anomaly analytics. Watch for off-hours token use, IP drift, scope escalation, and spikes in bulk reads.
Transition to Week 3: With edges and laptops patched, strengthen the supply chain so that code flowing into APIs is trustworthy.
Days 15 to 21: Secure the Pipeline from Supply Chain to API
- Patch Git on workstations, CI builders, and bastions to fixed versions. Restrict risky submodule behavior. Enforce signed commits and verified provenance.
- Clean up secrets. Rotate CI and CD variables and API keys. Scan repositories, tickets, and logs for leakage. Prefer short-lived or just-in-time credentials.
Transition to Week 4: Controls are in place. Now make progress visible and repeatable.
Days 22 to 30: Prove Progress with an API Trust Index
Report these KPIs to the board each week:
- Percent of tokens rotated. Aim for 95 percent or higher for affected vendors.
- Percent of connected apps re-scoped to least privilege. Aim for 90 percent or higher.
- Anomalous API calls blocked, including bulk-export signatures and suspicious scope changes.
- Mean time to revoke tokens, measured in hours.
- Percent of developer endpoints patched, covering Docker Desktop and Git.
Add procurement guardrails to renewals and new buys. Ask vendors to document token storage, rotation SLAs, scope minimisation, and event logging for any integration that touches core APIs.
FAQ
What is an OAuth blast radius and how do I reduce it?
It is the total harm a stolen or over-scoped token can cause across connected apps. Reduce it through least-privilege scopes, short TTLs, a full integration inventory, and detections for SOQL and GraphQL export patterns.
How do I check whether a container can reach the Docker Engine API?
From an unprivileged container, test connectivity to 192.168.65.7:2375 or your local bridge. If you get a response without authentication, update Docker Desktop and adjust isolation settings.
What should I log at the API edge to spot abuse?
Enable full request and response logs, add correlation IDs, and set detection rules for export patterns. Patch CVE-2025-7775 first.
Which KPIs show real risk reduction to the board?
Use the API Trust Index. Track percent of tokens rotated, percent of apps re-scoped, anomalies blocked, mean time to revoke tokens, and percent of developer endpoints patched.
Get Expert Help
Find out what data and access is being granted to your systems by 3rd party integrations on a quick 30 minute discovery call with security experts.