Google Expands Warning on Salesloft Drift Breach: Some Workspace Accounts Impacted

Google Expands Warning on Salesloft Drift Breach: Some Workspace Accounts Impacted

Google has confirmed that the Salesloft Drift breach is more severe than initially reported. The campaign, tracked by Mandiant (UNC6395), first surfaced on August 26, when attackers stole OAuth tokens from Drift’s AI chat integration with Salesforce.

🔍 What happened?

• Attackers gained access to Salesforce instances, querying Cases, Accounts, Users, and Opportunities.
• Sensitive data exposed included AWS keys, Snowflake tokens, and passwords from support tickets.
• New findings show OAuth tokens for Drift Email were also compromised.
• On August 9, attackers used them to access the emails of a small number of Google Workspace accounts.

✅ What’s not impacted:

• Other Workspace accounts within those domains
• Google Workspace and Alphabet infrastructure

📌 Google’s response:

• Revoked compromised tokens
• Disabled Drift Email integrations with Workspace
• Notified impacted customers
• Urging all Drift customers to:
  • Revoke and rotate credentials
  • Audit connected systems for unauthorized access
  • Review third-party integrations for exposed secrets

📢 Salesloft’s response:

• Salesforce has disabled Drift integrations with Salesforce, Slack, and Pardot pending investigation.
• Salesloft has engaged Mandiant and Coalition to investigate.

⚠️ Why it matters
This breach shows how OAuth tokens and third-party integrations can become major weak points in cloud ecosystems, exposing sensitive business and cloud infrastructure data.

At Alcaeus Services, we help organizations secure third-party integrations, cloud credentials, and OAuth-based connections, minimizing exposure to supply chain attacks like these.