Google Warns of Widespread Salesloft Drift OAuth Breach
In a recent update, Google has revealed that the Salesloft Drift OAuth breach has affected all integrations with Salesforce, not just the platform. This means that any authentication tokens stored in or connected to the Drift platform are considered compromised, and organizations should take immediate action to secure their data.
The Breach: A Global Impact
According to Google Threat Intelligence Group (GTIG), the breach occurred on August 9, 2025, when a threat actor used stolen OAuth tokens to access some Google Workspace emails via the Drift Email integration. However, this was not a compromise of Google Workspace itself, but rather accounts that were integrated with Salesloft.
Further investigation revealed that the breach was broader than initially thought and affected all integrations, not just Salesforce. GTIG now advises all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.
The Scope of the Compromise
Google Threat Intelligence Group (GTIG) has warned that the breach is not exclusive to the Salesforce integration with Salesloft and impacts other integrations. This means that any organization using Drift integrated with Salesforce should consider their data compromised and take immediate remediation steps.
Investigation Finds Data Exfiltration Campaign
A recent investigation by Google TIG group and Mandiant researchers discovered a large-scale data theft campaign aimed at hacking the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift AI chat agent. The experts found that UNC6395 stole OAuth tokens via Salesloft Drift, exfiltrating data from Salesforce between August 8 and 18, 2025.
The breach was not limited to Salesforce; attackers also targeted other corporate accounts using compromised OAuth credentials. According to GTIG, organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.
Impact on Organizations
Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities). On August 20, 2025, it revoked all Drift-Salesforce connections, stressing that non-Salesforce users are unaffected.
Admins are advised to re-authenticate Salesforce integrations, and impacted customers have been notified. However, the full scale of the breach remains unclear. A DFIR firm is assisting the investigation, and Salesloft has shared indicators of compromise (IOCs) with organizations affected by the breach.
Key Takeaways
The key takeaways from this incident are:
* All integrations with Drift should be treated as compromised. * Authentication tokens stored in or connected to Drift are considered compromised. * Organizations using Drift integrated with Salesforce should consider their data compromised and take immediate remediation steps. * Re-authenticate Salesforce integrations, revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.
Organizations affected by this breach should prioritize securing their data and taking proactive measures to prevent future breaches. Follow us on Twitter: @securityaffairs and Facebook for the latest updates on cybersecurity threats.