Google has revealed that the Salesloft Drift breach is more extensive than initially reported. attackers not only stole data from Salesforce instances but also used compromised OAuth tokens to access a small number of Google Workspace email accounts.
Salesloft Drift breach impacts Google Workspace accounts.
Attackers accessed Google Workspace emails using stolen OAuth tokens, expanding the scope beyond Salesforce.
- The Salesloft Drift breach now includes unauthorized access to Google Workspace email accounts.
- Attackers utilized stolen OAuth tokens, initially targeting Salesforce instances, to gain broader access.
- Google advises all Salesloft Drift customers to treat all authentication tokens connected to the platform as compromised.
- Salesforce has disabled Drift integrations with Salesforce, Slack, and Pardot until the investigation is complete.
Initially, attackers were found to have stolen OAuth tokens for SalesloftS Drift AI chat integration with Salesforce. These tokens granted them access to customer Salesforce instances, allowing them to query sensitive data, including customer support tickets and messages.
The attackers sought information like AWS access keys, Snowflake tokens, and passwords. This sensitive data could be used to breach further cloud accounts, likely for extortion purposes.
New Details Emerge
An update published today by Google confirmed the compromise’s greater significance, extending beyond just Salesforce integrations. The investigation revealed that OAuth tokens for the “Drift Email” integration were also compromised. On August 9,threat actors used these tokens to access the email of a “very small number” of Google Workspace accounts directly integrated with Drift.
Google stressed that no other accounts within those domains were affected and that Google Workspace or Alphabet itself were not compromised. the stolen tokens have as been revoked, and affected customers have been notified. The integration between Salesloft Drift Email and Google Workspace has been disabled while the investigation continues.
What is the latest warning from Google regarding the Salesloft Drift breach? Google is urging all organizations using Drift to treat every authentication token stored in or connected to the platform as compromised.
Recommendations for Users
Google strongly advises all organizations using Drift to revoke and rotate credentials for affected applications. It’s crucial to investigate all connected systems for signs of unauthorized access. The company also recommends reviewing all third-party integrations associated with Drift instances, searching for exposed secrets, and resetting any found credentials.
Salesloft updated its advisory on August 28. Salesforce has disabled Drift integrations with Salesforce,Slack,and Pardot until the investigation is complete. Salesloft has engaged Mandiant and Coalition to assist with the ongoing probe.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
