Google has confirmed that a security breach involving the Salesloft Drift platform is more extensive than initially reported, potentially compromising all authentication tokens connected to the service.
The new findings from the Google Threat Intelligence Group (GTIG) indicate that the incident, previously thought to be limited to Salesforce integrations, affects all third-party applications connected to Drift.
Google is now advising all Salesloft Drift customers to consider any and all authentication tokens stored in or linked to the Drift platform as potentially compromised and to take immediate remedial action.
The investigation into the breach began after GTIG identified a widespread data theft campaign conducted by a threat actor tracked as UNC6395.
OAuth Tokens Compromised
Between August 8 and August 18, 2025, the actor exploited compromised OAuth tokens associated with the Salesloft Drift third-party application to systematically export large volumes of data from numerous corporate Salesforce instances.
GTIG assesses that the primary motive was to harvest sensitive credentials, including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens from the exfiltrated data.
In response to the initial discovery, Salesloft, in collaboration with Salesforce, took action on August 20, 2025. They revoked all active access and refresh tokens for the Drift application and temporarily removed it from the Salesforce AppExchange.
At the time, both companies believed the impact was contained to customers who integrated Drift with Salesforce.
However, the investigation took a critical turn on August 28, 2025, when it was confirmed that the threat actor had also compromised OAuth tokens for the “Drift Email” integration.
Evidence showed that on August 9, 2025, the actor used these tokens to access emails from a very small number of Google Workspace accounts that had been specifically configured to integrate with Salesloft. Google has clarified that the actor could not have accessed any other accounts within a customer’s Workspace domain.
“To be clear, there has been no compromise of Google Workspace or Alphabet itself,” a Google spokesperson stated.
In light of these new findings, Google has taken swift action to protect its customers. The company identified the impacted users, revoked the specific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between Google Workspace and Salesloft Drift pending further investigation. All affected Google Workspace administrators are being notified directly.
The incident highlights the complex security challenges posed by interconnected third-party applications. While the breach did not stem from a vulnerability within the core platforms of Google or Salesforce, it demonstrates how a compromise in one service can create a ripple effect across integrated systems.
Salesloft has now engaged the cybersecurity firm Mandiant to assist in its ongoing investigation and has updated its security advisory.
Organizations using Salesloft Drift are strongly advised to take immediate defensive measures. Recommendations include conducting a thorough review of all third-party integrations connected to their Drift instance, revoking and rotating all associated credentials, and actively investigating all connected systems for any signs of unauthorized access or suspicious activity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
