Salesloft, a sales engagement platform, suffered a breach where unknown attackers exploited compromised security tokens linked to its **Drift AI chat agent** to gain unauthorized access to **Google Workspace email accounts**. Initially believed to be limited to **Salesforce integrations**, the scope expanded after Google’s Threat Intelligence Group (GTIG) discovered broader compromise, affecting **all authentication tokens stored in or connected to the Drift platform**. Google responded by revoking the compromised tokens, disabling the Salesloft Drift integration with Workspace, and notifying affected users. The breach exposed sensitive communications and potentially confidential data within Workspace accounts, though the exact extent of data exfiltration remains undisclosed. Salesloft’s public guidance lagged behind Google’s findings, raising concerns about transparency and the full impact on customers relying on the platform for sales operations and customer interactions.
TPRM report: https://www.rankiteo.com/company/drift
"id": "dri911083025",
"linkid": "drift",
"type": "Breach",
"date": "8/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'All Salesloft Drift users with '
'Workspace integrations',
'industry': 'Cloud Computing / SaaS',
'location': 'Global',
'name': 'Google (Workspace Users)',
'size': 'Large Enterprise',
'type': 'Technology Company'},
{'customers_affected': 'All Drift AI chat agent users '
'(initially reported as '
'Salesforce integrations, later '
'expanded to all integrations)',
'industry': 'Sales Engagement / AI Chat Platforms',
'location': 'Global',
'name': 'Salesloft',
'size': 'Mid-to-Large Enterprise',
'type': 'Technology Company'}],
'attack_vector': ['Compromised Security Tokens',
'Third-Party Integration Exploitation'],
'customer_advisories': ['Google notified all affected Workspace account '
'holders',
'Salesloft advised customers to treat all '
'Drift-connected tokens as compromised'],
'data_breach': {'sensitivity_of_data': ['High (Authentication Credentials, '
'Email Access)'],
'type_of_data_compromised': ['Authentication Tokens',
'Email Access (via Google '
'Workspace)']},
'date_publicly_disclosed': '2023-11-09T00:00:00Z',
'description': 'Google is advising users of the Salesloft Drift AI chat agent '
'to consider all security tokens connected to the platform '
'compromised following the discovery that unknown attackers '
'used some of the credentials to access email from Google '
'Workspace accounts. The breach was initially thought to be '
'limited to Salesloft Drift integrations with Salesforce but '
'was later found to be broader, impacting other integrations '
'as well. Google has revoked the compromised tokens, disabled '
'the integration between Salesloft Drift and all Workspace '
'accounts, and notified affected users.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust in Salesloft '
'Drift and Google Workspace Security'],
'data_compromised': ['Email Access via Google Workspace Accounts'],
'operational_impact': ['Revocation of Security Tokens',
'Disabling of Salesloft Drift Integration '
'with Workspace'],
'systems_affected': ['Google Workspace Accounts',
'Salesloft Drift AI Chat Agent Integrations']},
'initial_access_broker': {'entry_point': ['Compromised Salesloft Drift '
'security tokens'],
'high_value_targets': ['Google Workspace email '
'accounts']},
'investigation_status': 'Ongoing',
'recommendations': ['Treat all authentication tokens stored in or connected '
'to the Salesloft Drift platform as potentially '
'compromised',
'Review and audit third-party integrations for security '
'vulnerabilities',
'Monitor for unauthorized access to connected systems'],
'references': [{'date_accessed': '2023-11-09',
'source': 'Google Threat Intelligence Group (GTIG) Advisory'},
{'date_accessed': '2023-11-09',
'source': 'Salesloft Security Guidance Page'}],
'response': {'communication_strategy': ['Advisory updates to users',
'Notifications to affected account '
'holders'],
'containment_measures': ['Revoked compromised security tokens',
'Disabled Salesloft Drift integration '
'with all Google Workspace accounts'],
'incident_response_plan_activated': True},
'stakeholder_advisories': ['Google advisory update (November 9, 2023) '
'expanding scope of compromise'],
'threat_actor': 'Unknown',
'title': 'Compromise of Salesloft Drift AI Chat Agent Security Tokens '
'Affecting Google Workspace Accounts',
'type': ['Data Breach', 'Credential Compromise', 'Unauthorized Access']}