Cybersecurity - Insights, Cybersecurity - News, News, News - Insights

Google Confirms Workspace Accounts Impacted in Salesforce–Salesloft Drift Data Theft Campaign

Posted on by Karmina Clemente
01
Sep

Google has confirmed that a recent data theft campaign, which primarily targeted Salesforce customers through the Salesloft Drift integration, also affected a limited number of Google Workspace accounts.

Overview of the Incident

The attack, conducted between August 8 and August 18, 2025, leveraged compromised OAuth tokens from the third-party AI chatbot Salesloft Drift. Initially, the focus was on exfiltrating large amounts of data from Salesforce instances, likely for credential harvesting. The attackers searched for AWS access keys, passwords, Snowflake tokens, and other sensitive corporate information. Google’s Threat Intelligence Group (GTIG) attributes the campaign to the threat actor UNC6395.

Impact on Google Workspace

On August 28, 2025, GTIG confirmed that Workspace accounts integrated with Salesloft Drift were also compromised. Using the stolen OAuth tokens, the attackers accessed email from a very small number of Workspace accounts on August 9, 2025. Google clarified that only accounts specifically configured to work with Salesloft Drift were affected, and no other Workspace accounts on the same domains were accessed.

In response, Google revoked the OAuth tokens for the Drift Email application and disabled the Workspace integration with Salesloft Drift. All impacted Workspace administrators have been notified. Google emphasized that neither Workspace nor Alphabet itself was compromised.

Recommendations for Organizations

Google advises all organizations using Drift to:

  • Review third-party integrations carefully
  • Rotate credentials associated with connected apps
  • Inspect connected systems for potential signs of compromise

GTIG also highlighted that the issue extends beyond Salesforce integrations, and all authentication tokens stored in or connected to the Drift platform should be considered potentially compromised.

Meanwhile, Salesloft instructed customers managing Drift connections via API keys to revoke and reissue new keys. The company has provided indicators of compromise (IOCs) and is collaborating with Mandiant and Coalition to investigate, remediate the incident, and ensure platform integrity.

Salesloft is working closely with Salesforce and third-party partners to restore all Salesloft integrations as quickly as possible.

Source: https://www.securityweek.com/google-confirms-workspace-accounts-also-hit-in-salesforce-salesloft-drift-data-theft-campaign

Karmina Clemente