One compromised Gmail token gave attackers a skeleton key to 10,000+ customer credentials — and it's the same OAuth playbook security teams keep underestimating.
On May 21, 2026, Composio, an agentic integration platform, disclosed a security incident in which attackers exfiltrated approximately 5,241 API keys and 5,001 GitHub OAuth tokens. The initial vector was a compromised Gmail OAuth token belonging to a Composio employee. This gave the attacker access to the employee’s inbox, enabling the attacker to intercept magic link sign-in emails and eventually reach production systems holding customer secrets.
Chain of attack
The attack followed a chain of lateral movement through Composio's internal systems. Here is what is known based on Composio's public disclosure:
Initial access
An attacker compromised a Gmail OAuth token belonging to a Composio employee, gaining access to that employee's Google Workspace account.
Magic Link Abuse
The attacker used that access to authenticate into an agentic monitoring tool used to monitor for connectivity issues. This was done by abusing access to magic-link sign-in emails, a common passwordless authentication pattern where a one-time login link is sent to a verified email address.
Sandbox exploitation
Broad access permissions of the monitoring tool were abused to register malicious tool definitions in Composio's tool-execution sandbox, achieving arbitrary code execution.
Pivot to credential cache
From the Sandbox, a path to an auxiliary credential cache was exploited, and the attacker was able to exfiltrate customer secrets from Composio’s infrastructure.
What was exposed and Composio’s response
Composio is an agentic integration platform — users connect third-party accounts like GitHub, Gmail, and Slack via OAuth so that Composio's agents can act on their behalf. Composio stores those OAuth tokens. When the attacker reached the credential cache, they got the keys to those third-party accounts.
According to Composio's disclosure, 5,001 GitHub OAuth tokens were compromised and revoked — by far the largest category. Twelve Gmail tokens were affected, along with a handful of tokens for Jira, Slack, HubSpot, Linear, Notion, and Google Calendar. Separately, 5,241 API keys were assessed as potentially compromised and revoked.
Initially, only directly affected customers were notified. Within two days, Composio escalated to mandating API key rotation for all customers and recommending that all end-users revoke their connected account tokens — signaling the investigation was still uncovering scope. For API-key-type connections, Composio couldn't revoke on the customer's behalf; end-users had to go directly to the provider.
Composio has not disclosed what data the attacker actually accessed using the compromised tokens. But the risk is real: GitHub OAuth tokens can carry read and write access to private repositories, CI/CD workflows, and production infrastructure depending on the scopes granted.
The OAuth attack vector is accelerating
The Composio breach shares its core structure with the Vercel incident disclosed just one month earlier. In that case, attackers compromised a Google Workspace OAuth token from a third-party AI tool, used it to reach a Vercel employee's account, and pivoted from there toward customer data. We wrote about that breach when it happened, and the analysis holds here too.
Material has been sounding the alarm on this, because the data supports it. Our own research found that 45% of security teams are not actively managing OAuth app governance. A third rely entirely on manual processes. Of those who do have dedicated tooling, 67% still report elevated concern about their exposure. Awareness is high. Action is lagging.
The driving force behind that growth is AI adoption. Composio itself is part of this wave, it exists to make it easy for developers to give AI agents OAuth access to apps at scale. The same trend that built Composio's business is what made this breach significant: AI tools connect to production environments via OAuth, and the volume of those connections is growing faster than most security programs can track.
What this means in practice
For security teams, the right questions after a breach like this are not just "was that token in our environment?" They are: what was it authorized to do, what did it actually do, and what data was exposed??
Most teams can answer the first question. Fewer can answer the second. Almost none can answer the third without significant manual work.
Material's OAuth Remediation Agent is built for exactly this problem: continuous monitoring of OAuth connections across Google Workspace, behavioral detection at the activity layer rather than just the grant layer, and automated remediation when something surfaces without requiring someone to be paged at 2am to revoke a token.
The acceleration of these types of attacks means that it’s past time to make sure you can effectively prevent, detect, and respond to OAuth compromise.
