In a recent disclosure, Google has unveiled that the scope of the recent cyberattacks targeting Salesforce instances via Salesloft’s Drift integration is more extensive than initially believed, impacting all associated integrations.
The Google Threat Intelligence Group (GTIG) and cybersecurity firm Mandiant have jointly advised all Salesloft Drift users to consider any authentication tokens stored in or linked to the Drift platform as potentially compromised. This advisory follows the discovery that attackers utilized stolen OAuth tokens to access emails from a limited number of Google Workspace accounts on August 9, 2025. These breaches were facilitated through the compromised OAuth tokens associated with the Drift Email integration. It’s crucial to note that this incident does not signify a compromise of Google Workspace or its parent company, Alphabet.
Google emphasized that only accounts specifically configured to integrate with Salesloft were potentially accessed. The malicious actors would not have been able to infiltrate other accounts within a customer’s Workspace domain.
In response to these findings, Google has taken several measures:
– User Notifications: Impacted users have been informed about the breach.
– Revocation of OAuth Tokens: The specific OAuth tokens granted to the Drift Email application have been revoked.
– Disabling Integration Functionality: The integration between Google Workspace and Salesloft Drift has been disabled to prevent further unauthorized access.
Organizations utilizing Salesloft Drift are urged to:
– Review Third-Party Integrations: Examine all third-party integrations connected to their Drift instance.
– Revoke and Rotate Credentials: Revoke and update credentials for these applications to ensure security.
– Investigate for Unauthorized Access: Scrutinize all connected systems for any signs of unauthorized access or data breaches.
This expanded understanding of the attack’s reach comes shortly after Google’s exposure of a widespread data theft campaign. This campaign involved threat actors, identified as the emerging cluster UNC6395, leveraging compromised OAuth tokens linked to Salesloft Drift to target Salesforce instances between August 8 and 18, 2025.
In light of these developments, Salesloft has announced that Salesforce has temporarily disabled the Drift integration between Salesforce, Slack, and Pardot. Subsequently, Salesforce decided to temporarily disable all Salesloft integrations with Salesforce.
Salesloft stated that, based on current investigations, there is no evidence of malicious activity detected in the Salesloft integrations related to the Drift incident. Additionally, there are no indications that the Salesloft integrations are compromised or at risk at this time.
