Google has confirmed that the breach tied to Salesloft Drift is broader than initially believed, impacting more integrations than just Salesforce. The campaign, tracked by Google Threat Intelligence (Mandiant) as UNC6395, was first disclosed on August 26 after attackers stole OAuth tokens used for Drift’s AI chat integration with Salesforce. These tokens enabled unauthorized access to Salesforce instances, where attackers queried sensitive objects like Cases, Accounts, Users, and Opportunities.
From these queries, the attackers gained access to customer support tickets and internal messages, extracting secrets such as AWS access keys, Snowflake tokens, and plaintext passwords. This stolen data could be used to compromise additional cloud environments and potentially fuel future extortion campaigns.
In an update, Google revealed that attackers also obtained OAuth tokens from the Drift Email integration. On August 9, these were used to access email in a “very small number” of Google Workspace accounts directly tied to Drift. While Google emphasized that no other accounts or Alphabet systems were impacted, the discovery widens the breach’s scope significantly.
As a precaution, Google revoked all exposed tokens, disabled the Drift Email integration with Google Workspace, and notified affected customers. It is now advising all organizations using Drift to assume that every authentication token stored in or connected to the platform has been compromised. Organizations should revoke and rotate tokens, audit logs for suspicious activity, and reset any secrets exposed in Drift-linked integrations.
Salesloft has also responded by disabling Drift integrations with Salesforce, Slack, and Pardot while investigations continue. The company has engaged both Mandiant and Coalition to assist in assessing the scope and impact of the breach.
The Drift breach underscores the growing risk posed by OAuth token theft in modern SaaS ecosystems. Organizations across industries must adopt Zero Trust principles for integrations, rotate and monitor tokens regularly, and build security processes to detect token misuse before attackers can escalate access.
