Unverified Breach of Salesloft Drift Customer Authentication Keys by Google
Salesloft, a leading sales engagement platform, has recently disclosed that the security breach of its Drift platform is more extensive than initially reported. The breach, which occurred on August 28, 2025, has affected a wider range of third-party applications, not just Salesforce integrations as previously thought.
The incident began after the Google Threat Intelligence Group (GTIG) identified a widespread data theft campaign conducted by UNC6395. Between August 8 and August 18, 2025, the actor exploited compromised OAuth tokens associated with the Salesloft Drift third-party application to systematically export large volumes of data from numerous corporate Salesforce instances.
One of the compromised integrations was the Drift Email integration. The threat actor used OAuth tokens for this integration to access emails from a small number of Google Workspace accounts that were specifically configured to integrate with Salesloft. Google has since revoked the specific OAuth tokens granted to the Drift Email application and disabled the integration functionality between Google Workspace and Salesloft Drift pending further investigation.
Salesloft has taken concrete measures to address the misuse of login tokens for data theft. In response to the initial discovery, Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens for the Drift application and temporarily removed it from the Salesforce AppExchange on August 20, 2025. The company has also engaged the cybersecurity firm Mandiant to assist in its ongoing investigation.
Google has advised all Salesloft Drift customers to consider any and all authentication tokens stored in or linked to the Drift platform as potentially compromised. Organizations using Salesloft Drift are advised to conduct a thorough review of all third-party integrations connected to their Drift instance, revoke and rotate all associated credentials, and actively investigate all connected systems for any signs of unauthorized access or suspicious activity.
The Salesloot security breach underscores the complex security challenges posed by interconnected third-party applications. The primary motive of the actor was to harvest sensitive credentials, including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens from the exfiltrated data.
Google has clarified that the actor could not have accessed any other accounts within a customer's Workspace domain. The breach did not stem from a vulnerability within the core platforms of Google or Salesforce, but it demonstrates how a compromise in one service can create a ripple effect across integrated systems.
Salesloft has updated its security advisory in response to the new findings. The company is working diligently to provide its customers with the necessary resources and support to mitigate the risks associated with the breach.
In conclusion, the Salesloft Drift security breach serves as a reminder for organizations to regularly review and secure their third-party integrations. By taking proactive measures to protect their data, businesses can minimise the potential impact of similar security incidents.
