Google Confirms Workspace Accounts Also Hit in Salesforce–Salesloft Drift Data Theft Campaign

Threat Score:
69
20 articles
100.0% similarity
3 days ago

Article Timeline

20 articles
Click to navigate
Aug 26
Aug 26
Aug 26
Aug 26
Aug 26
Aug 27
Aug 27
Aug 27
Aug 27
Aug 27
Aug 27
Aug 28
Aug 28
Aug 28
Aug 28
Aug 28
Aug 29
Aug 29
Aug 29
Aug 29
Oldest
Latest

Key Insights

1
Google warns that the Salesloft Drift OAuth breach compromises all authentication tokens connected to the platform, not just Salesforce integrations - 'we advise all Salesloft Drift customers to treat any and all authentication tokens as potentially compromised.'
2
The data theft campaign, attributed to threat actor UNC6395, began on August 8, 2025, and involved large-scale queries to export sensitive Salesforce data including AWS access keys, passwords, and Snowflake tokens.
3
Salesloft confirmed that only customers integrating with Salesforce via Drift were impacted, and they have since revoked all access tokens for the affected application.
4
Google Threat Intelligence Group (GTIG) reports that the attackers demonstrated operational security awareness by deleting query jobs to hinder detection while leaving Salesforce event logs intact for tracing.
5
The breach has raised significant concerns regarding SaaS integration security, with experts noting that OAuth token compromises are a known blind spot in enterprise security programs.
6
Organizations are urged to review their systems for signs of compromise and to rotate credentials as a precautionary measure in light of the ongoing investigation.

Threat Overview

In a significant security incident, Google has issued a warning regarding a breach affecting the Salesloft Drift platform, which has compromised OAuth tokens used for Salesforce integrations and potentially all connected applications. The breach, attributed to a threat actor known as UNC6395, began on August 8, 2025, and involved extensive data theft from Salesforce customer instances. Google stated, 'we advise all Salesloft Drift customers to treat any and all authentication tokens as potentially compromised.' The attackers exploited stolen OAuth tokens, executing large-scale SOQL queries to extract sensitive information, including AWS access keys and passwords.

Salesloft clarified that the incident specifically impacted customers using the Drift integration with Salesforce, and they have since revoked all active access tokens associated with the application as a precautionary measure. The breach highlights a broader vulnerability associated with SaaS integrations, as noted by experts who emphasize the risks posed by OAuth token compromises. 'It is a known blind spot in most enterprise security programs,' remarked Cory Michal, Chief Security Officer at AppOmni.

The Google Threat Intelligence Group (GTIG) reported that the attackers demonstrated advanced operational security by deleting query jobs to avoid detection, while Salesforce event logs remained intact, allowing organizations to trace the activity. The breach has raised alarms about the security of SaaS applications, with hundreds of Salesforce customer organizations potentially affected. Google has urged affected organizations to conduct thorough investigations of their systems and to rotate credentials as a safeguard.

In response to this incident, Salesloft has engaged a third-party digital forensics team to investigate the breach further and to assist customers in understanding the impact. Organizations that have integrated Salesloft Drift with Salesforce are advised to assess their Salesforce objects for any sensitive data that may have been exposed. The ongoing investigation continues to reveal the extent of the compromise and the measures necessary to mitigate risks moving forward.

Tactics, Techniques & Procedures (TTPs)

T1071.001
Application Layer Protocol: Web Protocols - Attackers exploited OAuth tokens to communicate with Salesforce servers as authenticated users [1][2]
T1598
Phishing - Attackers may have used phishing techniques to initially compromise OAuth tokens, although the exact method remains unclear [3][4]
T1190
Exploit Public-Facing Application - Attackers directly exploited the Salesloft Drift integration to access Salesforce data [5][6]
T1053
Scheduled Task/Job - Attackers demonstrated persistence by executing scheduled queries on Salesforce objects [7][8]
T1557
Adversary-in-the-Middle - Compromised tokens allowed attackers to intercept sensitive data during exfiltration [9][10]

Timeline of Events

2025-08-08
Attackers begin exploiting compromised OAuth tokens associated with Salesloft Drift for data theft [1][2]
2025-08-18
Data exfiltration campaign continues, focusing on sensitive Salesforce objects [3][4]
2025-08-20
Salesloft issues an advisory acknowledging the breach and revokes affected access tokens [5]
2025-08-26
Google Threat Intelligence Group identifies the breach and links it to threat actor UNC6395 [6]
2025-08-29
Google warns that the breach affects all integrations connected to Salesloft Drift, not just Salesforce [7][8]

Source Citations

expert_quotes: {'Salesloft advisory': 'Article 5', 'Cory Michal, AppOmni': 'Article 19', 'Google Threat Intelligence Group': 'Article 1'}
primary_findings: {'OAuth token compromise details': 'Articles 1, 3', 'Salesloft response and advisories': 'Articles 5, 12', 'Impact assessment of affected systems': 'Articles 2, 4'}
technical_details: {'Attack methods and techniques': 'Articles 1, 2, 4', 'Operational security measures by attackers': 'Articles 6, 10'}
Powered by ThreatCluster AI
Generated 6 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

20 articles
2

Google Warns Salesloft OAuth Breach Extends Beyond Salesforce, Impacting All Integrations

The Hacker News 14 hours ago

Google has revealed that therecent wave of attackstargeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and Mandiantsaidin an updated advisory. The tech giant said the attackers also used stolen OAuth tokens to acc

Score
69
100.0% similarity
Read more
3

Google Confirms Potential Compromise of All Salesloft Drift Customer Authentication Tokens

Cybersecurity News 9 hours ago

Google has confirmed that a security breach involving the Salesloft Drift platform is more extensive than initially reported, potentially compromising all authentication tokens connected to the service. The new findings from the Google Threat Intelligence Group (GTIG) indicate that the incident, previously thought to be limited to Salesforce integrations, affects all third-party applications connected to […]

Score
65
100.0% similarity
Read more
4

Google: Salesloft Drift breach hits all integrations

Security Affairs 12 hours ago

Google warns that Salesloft Drift OAuth breach affects all integrations, not just Salesforce. All tokens should be treated as compromised. Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some […]

Score
64
100.0% similarity
Read more
6

Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

Databreaches 2 days ago

It looks like ShinyHunters and Scattered Spider have found yet another way to compromise Salesforce customers. Lawrence Abrams reports: Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. Salesloft’s SalesDrift is a third-party platform that connects... Source

Score
60
100.0% similarity
Read more
7

Hackers Abuse Compromised OAuth Tokens to Access and Steal Salesforce Corporate Data

GB Hackers 2 days ago

Hackers Abuse Compromised OAuth Tokens to Access and Steal Salesforce Corporate Data Google Threat Intelligence Group (GTIG) hasissuedan advisory concerning a broad data theft operation targeting corporate Salesforce instances via the Drift integration. Beginning as early as August 8, 2025, UNC6395 leveraged valid access and refresh tokens associated with the Salesloft Drift app to connect as an authenticated connected app user, executing large-scale SOQL queries to export records from key Sales

Score
54
100.0% similarity
Read more
8
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

Mandiant Threat Intelligence 3 days ago

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift Google Threat Intelligence Group Mandiant Mandiant Incident Response Investigate, contain, and remediate security incidents. Written by: Austin Larsen, Matt Lin, Tyler McLellan, Omar ElAhdan Introduction Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18,

Score
53
96.0% similarity
Read more
9

Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

The Hacker News 2 days ago

A widespread data theft campaign has allowed hackers to breach sales automation platformSalesloftto steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent. The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group and Mandiant, tracked asUNC6395. "Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through com

Score
53
100.0% similarity
Read more
10
Salesforce data theft campaign exposes SaaS integration risks

Salesforce data theft campaign exposes SaaS integration risks

Security Brief UK 1 day ago

Salesforce data theft campaign exposes SaaS integration risks New data theft attacks have been observed targeting Salesforce instances through SaaS integrations, raising concerns among security experts regarding the scope and coordination of the campaign. Security professionals are closely following developments after Google Threat Intelligence reported widespread attacks involving stolen OAuth2 tokens from integrations between Salesforce and third-party applications, including Salesloft and Dri

Score
51
100.0% similarity
Read more
11
Salesforce data missing? It might be due to Salesloft breach, Google says

Salesforce data missing? It might be due to Salesloft breach, Google says

The Register Security 2 days ago

Cyber-crime Salesforce data missing? It might be due to Salesloft breach, Google says Attackers steal OAuth tokens to access third-party sales platform, then CRM data in 'widespread campaign' Google says a recent spate of Salesforce-related breaches was caused by attackers stealing OAuth tokens from the third-party Salesloft Drift app. Drift is used for automating sales processes, and it integrates with Salesforce databases, pulling relevant information such as leads and details into the platfor

Score
51
100.0% similarity
Read more
12
Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

BleepingComputer 3 days ago

Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks Lawrence Abrams August 26, 2025 03:12 PM 0 Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. The ShinyHunters extortion group claims responsibility for these additional Salesforce attacks. Salesloft's SalesDrift is a third-party platform that connects the Drift AI chat agent wit

Score
51
96.0% similarity
Read more
13
"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

IT News Security 2 days ago

News Technology Security "Widespread data theft" hits Salesforce customers via third party Speculation that breach may be connected to "ShinyHunters" hackers. Compromised OAuth tokens through a third-party app have resulted in large-scale data raids on instances of the Salesforce customer relationship management (CRM) platform, by an unknown threat actor. The third-party app isSalesloft Drift, which is described as a revenue orchestration platform that uses purpose built artificial intelligence

Score
50
100.0% similarity
Read more
14
Google warns Salesloft breach impacted some Workspace accounts

Google warns Salesloft breach impacted some Workspace accounts

BleepingComputer 23 hours ago

Google warns Salesloft breach impacted some Workspace accounts Lawrence Abrams August 28, 2025 06:09 PM 0 Google now reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access a small number of Google Workspace email accounts in addition to stealing data from Salesforce instances. "Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Dri

Score
50
100.0% similarity
Read more
15
Hundreds of Salesforce customer orgs hit in clever attack with potentially huge blast radius

Hundreds of Salesforce customer orgs hit in clever attack with potentially huge blast radius

Feeds2 2 days ago

Hundreds of Salesforce customer orgs hit in clever attack with potentially huge blast radius A threat group Google tracks as UNC6395 has pilfered troves of data from Salesforce corporate instances, in of credentials that can be used to compromise those organizations’ environments. “[Google Threat Intelligence Group] observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens,” the company’s incident respond

Score
49
100.0% similarity
Read more
16

Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances

Cybersecurity News 2 days ago

A sophisticated data exfiltration campaign targeting corporate Salesforce instances has exposed sensitive information from multiple organizations through compromised OAuth tokens associated with the Salesloft Drift third-party application.  The threat actor, designated as UNC6395, systematically harvested credentials and sensitive data between August 8-18, 2025, demonstrating advanced operational security awareness while executing SOQL queries across numerous Salesforce […]

Score
49
100.0% similarity
Read more
17
Google Identifies ‘Widespread Data Theft’ Impacting Salesforce-Salesloft Drift Users

Google Identifies ‘Widespread Data Theft’ Impacting Salesforce-Salesloft Drift Users

Techrepublic 1 day ago

A previously unidentified threat actor, UNC6395, has been linked to a recent breach campaign that exposed Salesforce customer data. The activity, which occurred between early and mid-August, involved the misuse of OAuth tokens issued through Salesloft Drift integration. Google Threat Intelligence Group (GTIG) identified the threat actor in an Aug. 26 postand noted the “widespread data theft” started as early as Aug. 8, 2025 and ran through at least Aug. 18, 2025. Featured Partners 1ManageEngine

Score
49
100.0% similarity
Read more
18

Attackers steal data from Salesforce instances via compromised AI live chat tool

CSO Online 2 days ago

A threat actor managed to obtain Salesforce OAuth tokens from a third-party integration called Salesloft Drift and used the tokens to download large volumes of data from impacted Salesforce instances. One of the attacker’s goals was to find and extract additional credentials stored in Salesforce records that could expand their access. “After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments,” the Goo

Score
48
100.0% similarity
Read more
19

UNC6395 targets Salesloft in Drift OAuth token theft campaign

Security Affairs 1 day ago

Hackers breached Salesloft to steal OAuth/refresh tokens for Drift AI chat; GTIG and Mandiant link the campaign to threat actor UNC6395. Google Threat Intelligence Group and Mandiant researchers investigate a large-scale data theft campaign carried out to hack the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat […]

Score
47
100.0% similarity
Read more