In early August, threat actors exploited stolen Drift Email OAuth tokens to access a limited number of Google Workspace mailboxes that had explicitly integrated with Drift. The same group had previously compromised Salesforce via similar OAuth token abuse. Google revoked the tokens and disabled the Drift integration on August 9, but the incident highlighted critical risks in third-party app delegations and token-based attacks. The breach did not involve direct hacking of Google’s systems but leveraged trusted OAuth integrations to bypass traditional security controls (MFA, identity hardening). While no large-scale data exfiltration was confirmed, the attack exposed vulnerabilities in SaaS app graphs, where legitimate API permissions become attack vectors. Customers responded by mapping Drift connections, rotating keys, and pruning access, but the incident underscored the need for content-level protections (e.g., message-level MFA) to mitigate token misuse. The attack aligns with a broader trend of token-theft campaigns (e.g., Snowflake, Salesforce), where actors exploit valid credentials to query high-value data at scale. Google’s rapid response limited dwell time, but the incident reinforced that perimeter defenses alone are insufficient against supply-chain risks in cloud workspaces.
TPRM report: https://www.rankiteo.com/company/gsuiteapps
"id": "gsu4492644100825",
"linkid": "gsuiteapps",
"type": "Breach",
"date": "8/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Limited number of mailboxes '
'with Drift integration',
'industry': ['Technology',
'Multiple Industries (via Google '
'Workspace)'],
'location': 'Global',
'name': 'Google Workspace Customers',
'type': 'Enterprise'},
{'industry': 'Customer Engagement/Conversational '
'Marketing',
'location': 'United States',
'name': 'Drift',
'type': 'SaaS Provider'},
{'industry': 'Sales Engagement',
'location': 'United States',
'name': 'Salesloft',
'type': 'SaaS Provider'}],
'attack_vector': ['Compromised OAuth Tokens',
'Third-Party Integration Abuse',
'Delegated Access Exploitation'],
'customer_advisories': ['Google Workspace admins notified to revoke Drift '
'tokens and review integration scopes.'],
'data_breach': {'file_types_exposed': ['Emails', 'Potentially Attached Files'],
'number_of_records_exposed': 'Limited (small number of '
'mailboxes)',
'sensitivity_of_data': ['Moderate to High (Executive '
'Mailboxes Targeted)'],
'type_of_data_compromised': ['Email Data',
'Potentially Sensitive Threads '
'(Mitigated by Message-Level '
'MFA)']},
'date_detected': '2024-08-09',
'date_publicly_disclosed': '2024-08-09',
'date_resolved': '2024-08-09',
'description': 'In early August 2024, threat actors exploited stolen Drift '
'Email OAuth tokens to access a small number of Google '
'Workspace mailboxes that had explicitly integrated with '
'Drift. The same threat actor had previously compromised '
'Salesforce records via OAuth tokens. Google confirmed the '
'activity on August 9, revoked the tokens, and disabled the '
'Drift integration. The incident highlights the risks of '
'delegated access via OAuth integrations, which can bypass '
'traditional security controls like MFA and identity '
'hardening. The attack surface has expanded to include the '
"'app graph'—the lattice of OAuth grants and API permissions "
'binding SaaS applications. Customers responded by mapping '
'Drift connections, pruning access, rotating keys, and '
'deploying detections for indicators of compromise (IOCs). '
"Material Security's 'Account Takeover Resilience' mitigated "
'the impact by requiring human step-up authentication for '
'accessing sensitive mailbox data, even with a valid token.',
'impact': {'brand_reputation_impact': ['Moderate (Highlighted Risks of OAuth '
'Integrations)'],
'data_compromised': ['Email Data',
'Potentially Sensitive Mailbox Contents'],
'identity_theft_risk': ['Low (Mitigated by Message-Level MFA)'],
'operational_impact': ['Token Revocation',
'Integration Disabling',
'Access Pruning and Key Rotation'],
'systems_affected': ['Google Workspace Mailboxes (Limited Number)',
'Drift Integration']},
'initial_access_broker': {'entry_point': 'Compromised Drift Email OAuth '
'Tokens',
'high_value_targets': ['Google Workspace Mailboxes '
'with Drift Integration']},
'investigation_status': 'Resolved (Containment and Remediation Completed)',
'lessons_learned': ['Assume integrations will be abused and tokens will leak; '
'design defenses accordingly.',
'OAuth governance must be treated as a first-class '
'security surface, with visibility and control over '
'third-party app scopes.',
'Prevention alone is insufficient; resilience requires '
'containment (e.g., message-level MFA) and automated '
'response capabilities.',
'Legacy protocols (IMAP, POP) and long-lived tokens must '
'be eliminated to reduce attack surface.',
'Real-time detection of suspicious behaviors (e.g., data '
'access patterns) is critical as attackers evolve evasion '
'techniques.',
'Supply chain attacks via trusted integrations are '
'escalating; bulk revocation and rotation should precede '
'investigation.'],
'motivation': ['Data Theft', 'Espionage', 'Financial Gain (Potential)'],
'post_incident_analysis': {'corrective_actions': ['Implemented automated '
'OAuth governance '
'(visibility, scope '
'tightening, '
'auto-revocation).',
'Deployed message-level MFA '
'for sensitive content in '
'Google Workspace.',
'Enhanced behavioral '
'detection for suspicious '
'data access patterns.',
'Eliminated legacy '
'protocols and long-lived '
'tokens.',
'Established playbooks for '
'rapid response to '
'third-party token '
'compromises.'],
'root_causes': ['Over-permissioned OAuth tokens '
'with excessive scopes.',
'Lack of real-time monitoring for '
'anomalous token usage.',
'Dependence on third-party '
'integrations without sufficient '
'governance.',
'Inadequate segmentation between '
'trusted integrations and '
'sensitive data.']},
'recommendations': ['Inventory all third-party apps with access to Google '
'Workspace APIs (Gmail, Drive, Calendar, Admin) and '
'remove unnecessary integrations.',
'Tighten OAuth scopes to the principle of least privilege '
'and auto-revoke stale grants.',
'Implement phishing-resistant MFA and eliminate legacy '
'protocols (IMAP, POP, app-specific passwords).',
'Deploy message-level MFA to protect sensitive email '
'threads and files, even from valid tokens.',
'Automate playbooks for real-time actions: token '
'revocation, account suspension, and step-up '
'authentication for sensitive content.',
'Monitor for high-risk OAuth grants as rigorously as new '
'admin accounts.',
"Adopt an 'assume breach' mindset: design systems so that "
'stolen tokens or sessions cannot access sensitive data '
'by default.',
'Enhance detection capabilities to include behavioral '
'analysis (e.g., unusual data access, email rules, file '
'sharing).'],
'references': [{'date_accessed': '2024-08-15',
'source': 'Material Security Blog',
'url': 'https://material.security'},
{'source': 'Google Workspace Security Bulletin'}],
'response': {'communication_strategy': ['Customer Advisories',
'Transparency on Incident Scope and '
'Mitigation'],
'containment_measures': ['Token Revocation',
'Disabling Drift Integration',
'Access Pruning'],
'enhanced_monitoring': ['Real-Time Behavioral Monitoring for '
'Suspicious Data Access Patterns'],
'incident_response_plan_activated': True,
'recovery_measures': ['Bulk Token Revocation',
'Automated Playbooks for App Governance'],
'remediation_measures': ['Key Rotation',
'Scope Tightening for OAuth '
'Integrations',
'Deployment of IOC Detections'],
'third_party_assistance': ['Material Security (Detection and '
'Mitigation)']},
'stakeholder_advisories': ['Customers advised to audit OAuth integrations, '
'rotate tokens, and deploy IOC detections.'],
'title': 'Salesloft/Drift OAuth Token Abuse Incident Affecting Google '
'Workspace',
'type': ['Unauthorized Access', 'Supply Chain Attack', 'OAuth Token Abuse'],
'vulnerability_exploited': ['Excessive OAuth Token Scopes',
'Lack of Token Rotation',
'Insufficient Monitoring of Third-Party '
'Integrations']}