The Salesloft Drift breach expanded beyond initial estimates, revealing that attackers exploited stolen OAuth tokens not only to access Salesforce customer instances (including sensitive tables like *Cases, Accounts, Users, and Opportunities*) but also to compromise a small number of Google Workspace email accounts via the *Drift Email* integration. The threat actors, tracked as UNC6395, scanned support tickets and messages for AWS access keys, Snowflake tokens, and passwords, likely for future extortion or lateral movement into other cloud environments. Google confirmed the breach was broader than first disclosed, affecting third-party integrations beyond Salesforce. While no Google Workspace or Alphabet systems were directly compromised, the stolen tokens were revoked, and the Drift-Google Workspace integration was disabled pending investigation. Salesloft, with assistance from Mandiant and Coalition, disabled Drift integrations with Salesforce, Slack, and Pardot as a precaution. Customers were advised to rotate all authentication tokens linked to Drift and audit connected systems for unauthorized access. The incident highlights risks in OAuth-based supply chain attacks, where compromised third-party credentials enable deep access to enterprise systems, exposing customer data, internal communications, and cloud credentials to potential misuse in follow-on attacks.
TPRM report: https://www.rankiteo.com/company/drift
"id": "dri635082925",
"linkid": "drift",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple (all Drift customers '
'advised to rotate tokens)',
'industry': 'Sales Engagement/Marketing Technology',
'location': 'United States',
'name': 'Salesloft (Drift)',
'type': 'SaaS Provider'},
{'customers_affected': 'Very small number of accounts',
'name': 'Google Workspace Customers (limited)',
'type': 'Enterprise Users'},
{'name': 'Salesforce Customers (via Drift integration)',
'type': 'Enterprise Users'}],
'attack_vector': ['Compromised OAuth Tokens',
'Third-Party Integration Exploitation'],
'customer_advisories': ['Revoke/rotate all Drift-connected tokens',
'Investigate connected systems for unauthorized '
'access',
'Review third-party integrations for exposed '
'credentials'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Potential (via '
'Salesforce/email '
'content)'],
'sensitivity_of_data': 'High (credentials, PII, '
'business-sensitive data)',
'type_of_data_compromised': ['Salesforce Object Data (Cases, '
'Accounts, Users, Opportunities)',
'Cloud Credentials (AWS Keys, '
'Snowflake Tokens)',
'Email Content (limited Google '
'Workspace accounts)',
'Support Tickets/Messages']},
'date_detected': '2024-08-09',
'date_publicly_disclosed': '2024-08-26',
'description': 'Google updated its advisory on the Salesloft Drift breach, '
'revealing that attackers not only stole OAuth tokens to '
'access Salesforce instances but also compromised tokens for '
"the 'Drift Email' integration, granting access to a small "
'number of Google Workspace email accounts. The campaign, '
'tracked as UNC6395 by Mandiant, initially involved the theft '
"of OAuth tokens for Salesloft's Drift AI chat integration "
'with Salesforce, allowing attackers to query Salesforce '
'objects (Cases, Accounts, Users, Opportunities) for sensitive '
'data like AWS keys, Snowflake tokens, and passwords. The '
'scope was later found to extend beyond Salesforce, with '
'Google revoking compromised tokens, disabling the '
'Drift-Google Workspace integration, and urging all Drift '
'customers to treat all stored/authentication tokens as '
'compromised. Salesloft has disabled Drift integrations with '
'Salesforce, Slack, and Pardot pending investigation, with '
'Mandiant and Coalition assisting in the response.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in '
'Salesloft/Drift Security',
'Google Workspace Association Risk'],
'data_compromised': ['Salesforce Object Data (Cases, Accounts, '
'Users, Opportunities)',
'AWS Access Keys',
'Snowflake Tokens',
'Passwords',
'Google Workspace Email Content (limited '
'accounts)'],
'identity_theft_risk': ['High (due to exposed AWS/Snowflake '
'credentials and PII in Salesforce/email)'],
'operational_impact': ['Disabled Integrations '
'(Drift-Salesforce/Slack/Pardot/Google '
'Workspace)',
'Credential Rotation Requirements',
'Investigation Overhead'],
'systems_affected': ['Salesforce Instances',
'Google Workspace Email Accounts (via Drift '
'Email integration)',
'Drift AI Chat Integration',
'Slack Integrations (disabled)',
'Pardot Integrations (disabled)']},
'initial_access_broker': {'entry_point': 'Compromised OAuth Tokens '
'(Drift-Salesforce/Google Workspace '
'integrations)',
'high_value_targets': ['AWS Credentials',
'Snowflake Tokens',
'Salesforce Data',
'Google Workspace Emails']},
'investigation_status': 'Ongoing (Mandiant/Coalition assisting)',
'lessons_learned': ['OAuth token security requires stricter rotation and '
'monitoring',
'Third-party integrations introduce significant risk '
'vectors',
'Cross-platform credential exposure can escalate breaches',
'Proactive token revocation and customer communication '
'are critical'],
'motivation': ['Data Exfiltration',
'Future Extortion',
'Cloud Account Compromise'],
'post_incident_analysis': {'corrective_actions': ['Token revocation and '
'rotation enforcement',
'Integration security '
'reviews',
'Enhanced monitoring for '
'OAuth token usage'],
'root_causes': ['Insufficient OAuth token security '
'controls',
'Over-permissive third-party '
'integrations',
'Lack of real-time monitoring for '
'token abuse']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Rotate all OAuth tokens connected to Drift',
'Audit all third-party integrations for exposed secrets',
'Implement least-privilege access for integrations',
'Monitor for unauthorized access in connected systems',
'Disable unused integrations',
'Enhance logging for OAuth token usage'],
'references': [{'date_accessed': '2024-08-28',
'source': 'Google Threat Intelligence (Mandiant) Advisory'},
{'date_accessed': '2024-08-28',
'source': 'Salesloft Advisory Update'}],
'response': {'communication_strategy': ['Public Advisories (Google/Salesloft)',
'Direct Customer Notifications',
'Media Updates'],
'containment_measures': ['Revoked Compromised OAuth Tokens',
'Disabled Drift-Salesforce/Slack/Pardot '
'Integrations',
'Disabled Drift-Google Workspace '
'Integration',
'Credential Rotation Advisory'],
'enhanced_monitoring': ['Recommended for all Drift-connected '
'systems'],
'incident_response_plan_activated': True,
'remediation_measures': ['Token Revocation',
'Integration Disablement',
'Customer Notifications',
'Third-Party Integration Audits'],
'third_party_assistance': ['Mandiant (Google Threat '
'Intelligence)',
'Coalition']},
'stakeholder_advisories': ['Google Workspace Customers',
'Salesloft Drift Customers',
'Salesforce Users with Drift Integrations'],
'threat_actor': 'UNC6395 (tracked by Mandiant/Google Threat Intelligence)',
'title': 'Expanded Salesloft Drift Breach Involving Google Workspace OAuth '
'Token Compromise',
'type': ['Data Breach',
'Unauthorized Access',
'Credential Theft',
'OAuth Token Abuse'],
'vulnerability_exploited': ['Weak OAuth Token Security',
'Insecure Third-Party Integration '
'(Drift-Salesforce/Google Workspace)']}