Google: Salesloft Drift breach hits all integrations
Google warns that Salesloft Drift OAuth breach affects all integrations, not just Salesforce. All tokens should be treated as compromised.
Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some Google Workspace emails on August 9, 2025, via the Drift Email integration. Google stressed this was not a compromise of Workspace itself, and only accounts integrated with Salesloft were at risk, with no access to other customer accounts.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers totreat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” reads the update published by Google Threat Intelligence Group (GTIG).
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the “Drift Email” integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts. The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain.”
Google already notified impacted users and revoked Drift Email OAuth tokens, disabled its Workspace integration, and urged Salesloft Drift users to review integrations, rotate credentials, and check for breaches.
This week, Google Threat Intelligence Group and Mandiant researchers announced that they investigated a large-scale data theft campaignaimed at hacking the sales automation platformSalesloftto steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.
The experts discovered that the threat actor UNC6395 stole OAuth tokens via Salesloft Drift, exfiltrating data from Salesforce between Aug 8 and 18, 2025, to harvest credentials like AWS access keys (AKIA) and Snowflake tokens.
“Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with theSalesloft Driftthird-party application.” reads thereportpublished by the Google TIG group. “The actor systematically exported large volumes of data from numerous corporate Salesforce instances.”
UNC6395 stole Salesforce data, prompting GTIG to advise treating it as compromised and rotating credentials. The threat actor deleted query jobs to evade detection. Google urges log reviews, key revocation, and credential rotation to assess compromise.
“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps.” recommends Google. “Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.”
Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities). On August 20, 2025, it revoked all Drift–Salesforce connections, stressing that non-Salesforce users are unaffected. Admins are advised to re-authenticate Salesforce integrations, and impacted customers have been notified, though the full scale remains unclear.
“From August 8 to August 18, 2025, a threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances. All impacted customers have been notified.” reads theDrift/Salesforce Security Updatepublished by Salesloft. “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration.”
Salesforce said only a small number of customers were affected due to a compromised app connection. Working with Salesloft, it revoked tokens, pulled Drift from AppExchange, and notified impacted users.
Salesloft states that they have no evidence of ongoing malicious activity related to this incident.
Salesloft and Salesforce are requiring admins to re-authenticate. A DFIR firm is assisting the investigation. Salesloft also shared indicators of compromise (IOCs).
Follow me on Twitter:@securityaffairsandFacebookandMastodon
(SecurityAffairs–hacking,Google)