AV

Incident response

Active engagement · INC-4471.

Token theft via OAuth misconfiguration on the Salesforce surface. Cross-region containment in progress.

Critical · active

Token theft via OAuth misconfig — Salesforce surface

INC-4471·Declared 12m ago·Commander · P. Devereux

Detect

01

Triage

02

Contain

03

Eradicate

04

Recover

05
criticalINC-4471

Token theft via OAuth misconfig — Salesforce surface

Containment76%

Started 12m ago

highINC-4468

Suspicious model inference at fraud-scoring endpoint

Containment92%

Started 1h 02m ago

highINC-4462

Credential stuffing campaign · 4 ASN clusters

Containment100%

Started 2h 47m ago

Engagement timeline

  1. 00:00Auto-detect

    Anomalous OAuth scope grant detected on Salesforce surface

  2. 00:42Lens-Q

    Correlated with prior credential reuse from same IP block

  3. 01:38P. Devereux

    Declared INC-4471 · severity raised to Critical

  4. 02:04Auto-action

    Revoked 14 active tokens, forced re-auth for 312 sessions

  5. 04:11L. Okonkwo

    Forensic snapshot captured · 4.2 GB

  6. 07:55Comms

    Stakeholder brief distributed · exec, legal, GRC

  7. 11:42P. Devereux

    Containment verified across all impacted regions

Stakeholders

  • P. Devereux

    IR Lead · Commander

    Online

  • A. Volkov

    SOC Director

    Online

  • M. Carrasco

    Legal · Privacy

    Paged

  • E. Whitfield

    CISO · Sponsor

    Online

  • J. Saito

    Customer Success

    Notified

Comms log

  • Exec brief08:12

    Initial impact summary sent

  • Status page08:24

    Investigating · degraded auth flows

  • GRC09:05

    Reg notification window started · 72h

  • Customers (T1)10:18

    Direct notice · 47 enterprise accounts