In a significant cybersecurity development, Google has confirmed that the security breach involving the Salesloft Drift platform is more extensive than initially reported, potentially compromising all authentication tokens associated with the service. This revelation underscores the intricate security challenges posed by interconnected third-party applications and the cascading effects a single compromise can have across integrated systems.
Initial Discovery and Scope Expansion
The Google Threat Intelligence Group (GTIG) initiated an investigation after identifying a widespread data theft campaign orchestrated by a threat actor designated as UNC6395. Between August 8 and August 18, 2025, this actor exploited compromised OAuth tokens linked to the Salesloft Drift third-party application to systematically extract large volumes of data from numerous corporate Salesforce instances. The primary objective appeared to be the harvesting of sensitive credentials, including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens from the exfiltrated data.
In response to these findings, Salesloft, in collaboration with Salesforce, took decisive action on August 20, 2025. They revoked all active access and refresh tokens for the Drift application and temporarily removed it from the Salesforce AppExchange. At that juncture, both companies believed the impact was confined to customers who had integrated Drift with Salesforce.
However, the investigation took a critical turn on August 28, 2025, when it was confirmed that the threat actor had also compromised OAuth tokens for the Drift Email integration. Evidence indicated that on August 9, 2025, the actor utilized these tokens to access emails from a select number of Google Workspace accounts specifically configured to integrate with Salesloft. Google has clarified that the actor could not have accessed any other accounts within a customer’s Workspace domain.
Google’s Response and Clarifications
In light of these new findings, Google acted swiftly to protect its customers. The company identified the impacted users, revoked the specific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between Google Workspace and Salesloft Drift pending further investigation. All affected Google Workspace administrators are being notified directly.
A Google spokesperson emphasized, To be clear, there has been no compromise of Google Workspace or Alphabet itself. This statement aims to reassure users that the core platforms remain secure and that the breach was limited to the compromised third-party application.
Implications for Interconnected Systems
This incident highlights the complex security challenges posed by interconnected third-party applications. While the breach did not originate from vulnerabilities within Google’s or Salesforce’s core platforms, it demonstrates how a compromise in one service can create a ripple effect across integrated systems. Organizations must recognize that the security of their data is only as strong as the weakest link in their integration chain.
Salesloft’s Ongoing Investigation
In response to the breach, Salesloft has engaged the cybersecurity firm Mandiant to assist in its ongoing investigation and has updated its security advisory. The company is committed to identifying the root cause of the breach and implementing measures to prevent future incidents.
Recommendations for Affected Organizations
Organizations using Salesloft Drift are strongly advised to take immediate defensive measures:
1. Review Third-Party Integrations: Conduct a thorough review of all third-party integrations connected to their Drift instance to identify potential vulnerabilities.
2. Revoke and Rotate Credentials: Revoke and rotate all associated credentials to mitigate the risk of unauthorized access.
3. Monitor for Unauthorized Access: Actively investigate all connected systems for any signs of unauthorized access or suspicious activity.
4. Enhance Security Protocols: Implement additional security measures, such as multi-factor authentication and regular security audits, to strengthen the organization’s overall security posture.
Broader Context of OAuth Token Exploitation
The exploitation of OAuth tokens is not an isolated incident. Threat actors have increasingly targeted these tokens to gain unauthorized access to various platforms. For instance, the Mamba toolkit has been reported to abuse multi-factor authentication in sophisticated phishing attacks, demonstrating the evolving tactics of cybercriminals. Additionally, platforms like FlowerStorm have been identified as attacking Microsoft 365 users through phishing portals that mimic legitimate login pages to harvest credentials and multi-factor authentication tokens.
Conclusion
The comprehensive security breach involving Salesloft Drift underscores the critical importance of securing third-party integrations and the need for continuous monitoring of OAuth-enabled applications with access to sensitive corporate data repositories. Organizations must remain vigilant, proactively assess their security measures, and respond swiftly to potential threats to safeguard their data and maintain trust with their stakeholders.
