In a recent cybersecurity incident, Google has confirmed that a data theft campaign targeting Salesforce customers through the Salesloft Drift integration also impacted a limited number of Google Workspace accounts. The campaign, active between August 8 and August 18, 2025, exploited compromised OAuth tokens associated with the third-party AI chatbot Salesloft Drift to extract substantial data from corporate Salesforce instances. The primary objective of the attackers, identified as threat actor UNC6395, was credential harvesting.
The attackers systematically searched for sensitive information, including AWS access keys, passwords, and Snowflake-related access tokens. On August 28, 2025, Google’s Threat Intelligence Group (GTIG) expanded the scope of the breach, revealing that the campaign also affected Google Workspace customers. Specifically, on August 9, 2025, the threat actor utilized compromised OAuth tokens for the ‘Drift Email’ integration to access emails from a very small number of Google Workspace accounts.
It’s important to note that only Workspace accounts configured to integrate with Salesloft were affected; attackers did not gain access to other accounts within the impacted customers’ Workspace domains. Upon discovering the breach, Google promptly revoked the OAuth tokens for the Drift Email application and disabled the Workspace integration with Salesloft Drift. All affected Google Workspace administrators have been notified, and Google has clarified that there was no compromise of Google Workspace or Alphabet’s internal systems.
In light of this incident, Google advises all organizations using Drift to review their third-party integrations, rotate credentials, and inspect connected systems for signs of compromise. The compromise extends beyond the Salesforce integration with Salesloft Drift, affecting other integrations as well. Therefore, all Salesloft Drift customers are urged to treat any authentication tokens stored in or connected to the Drift platform as potentially compromised.
Salesloft has communicated with customers managing their own Drift connections to third-party applications via API keys, advising them to revoke these keys and reconnect using new ones. This action should be performed directly within the third-party provider’s application. Salesloft has also shared indicators of compromise (IOCs) to assist organizations in detecting intrusions and is collaborating with Mandiant and Coalition to investigate and remediate the incident, ensuring the integrity of its platform.
The company is working with Salesforce and other third-party partners to restore Salesloft integrations as soon as possible.
