Salesloft Drift OAuth Token Breach Exposes Salesforce and Google Workspace Data

September 1, 2025 / September 1, 2025 by Corentin C | Leave a comment

In late August 2025, Google Threat Intelligence Group (GTIG) revealed a major cybersecurity incident involving the Salesloft Drift platform. A sophisticated threat actor, tracked as UNC6395, abused compromised OAuth tokens to steal data from corporate Salesforce instances and access emails in Google Workspace accounts linked to Drift.

This Salesloft Drift security breach highlights the growing risks of third-party integrations and token-based authentication. Even though Salesforce and Google Workspace themselves were not compromised, the stolen tokens gave attackers a dangerous backdoor into sensitive business data.

What Happened in the Salesloft Drift Compromise?

August 8 – August 18, 2025: Attackers began abusing OAuth tokens tied to Salesloft Drift’s Salesforce integration, exfiltrating large volumes of data.
August 9, 2025: OAuth tokens from the Drift Email integration were exploited to access a small number of Google Workspace accounts (only those specifically configured with Drift).
August 20, 2025: Salesforce and Salesloft revoked all Drift tokens and removed the Drift app from Salesforce AppExchange.
August 28, 2025: GTIG confirmed the scope was broader than Salesforce and urged all Drift customers to assume any connected integrations were potentially compromised. Google revoked tokens, disabled Drift Email integration, and notified impacted Workspace administrators.

What Data Was Targeted?

UNC6395 focused on credentials and sensitive secrets inside Salesforce exports, including:

AWS Access Keys (AKIA identifiers)
Snowflake database tokens
Usernames, passwords, and API keys
Company records like Accounts, Users, Opportunities, and Cases

The attackers used targeted SOQL queries to harvest credentials. For example:

SELECT Id, Username, Email, LastLoginDate 
FROM User 
WHERE IsActive = true 
ORDER BY LastLoginDate DESC 
LIMIT 20;

Even though attackers tried to cover their tracks by deleting some jobs, Salesforce logs remain intact for forensic review.

Why This Matters

This incident is one of the largest OAuth token compromises observed in recent years. It shows that:

Third-party integrations can be the weakest link in cloud security.
OAuth tokens, once stolen, can give attackers persistent, legitimate access without triggering normal login alerts.
Even trusted platforms like Salesforce and Google Workspace are vulnerable through ecosystem risks, not through flaws in their core products.

How to Protect Your Organization

If your company uses Salesloft Drift with Salesforce, Google Workspace, or any other platform, you must assume compromise and take immediate action.

1. Revoke and Rotate Credentials

Revoke all OAuth tokens linked to Drift.
Rotate API keys, access tokens, and passwords.
Apply shorter session lifespans in Salesforce.

2. Investigate for Unauthorized Access

Review Salesforce Event Monitoring logs and Drift Connected App activity.
Search for suspicious SOQL queries in logs.
Scan exported data for AWS keys, Snowflake credentials, and passwords using tools like Trufflehog.

3. Harden Access Controls

Restrict Drift and other apps to least privilege scopes.
Enforce IP restrictions and login ranges for connected apps.
Remove unnecessary “API Enabled” permissions from user profiles.

Official Response

Google revoked compromised tokens, disabled the Drift Email integration, and notified Workspace admins.
Salesforce revoked Drift access and removed the app from the AppExchange.
Salesloft has engaged Mandiant to assist with the investigation and continues to update customers via its Trust Center.

The Salesloft Drift security incident underscores the importance of third-party risk management. Even without a breach of Salesforce or Google, attackers exploited OAuth token trust relationships to steal valuable data.

Organizations should review all Drift integrations immediately, rotate all credentials, and audit logs for signs of compromise.

For ongoing updates, monitor:

Salesforce Trust & Security

Source: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift?hl=en

Corentin C

Founder of ToolsLib, Designer, Web and Cybersecurity Expert.
Passionate about software development and crafting elegant, user-friendly designs.

Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!

Tagged

Brave Exposes Critical Security Flaws in Agentic AI Browsers

Brave has revealed critical flaws in Perplexity’s Comet AI assistant, where hidden instructions on a webpage could trick the browser into leaking emails, passwords, or other sensitive data. The research highlights the growing security and privacy risks of agentic AI browsers, and why stronger protections are urgently needed.

xAI: 370,000 Private Grok Conversations Exposed to Search Engines

xAI has exposed over 370,000 private Grok chatbot conversations to search engines, revealing sensitive and dangerous content. The incident raises new concerns about the company’s data privacy practices.

AdwCleaner 8.6.0 Released

AdwCleaner 8.6.0 is now available with faster startup, improved memory usage, and important TLS bug fixes. Download the latest version today.

Windows 10 and Firefox: Still Supported, But For How Long?

Windows 10 support ends in October 2025, but Firefox will continue running beyond that date. Learn what this means for users and how to prepare for the future.

Malware Hidden in Archives: How Hackers Use ZIP, RAR, and 7z Files to Bypass Detection

Archives like ZIP, RAR, and 7z are handy for sharing files, but cybercriminals often hide malware inside them to bypass detection. Learn how these attacks work, why outdated archiving software can be risky, and the simple steps you can take to stay safe.

OpenAI Releases GPT-5: New Features, Mixed Reactions, and What’s Next

OpenAI’s GPT-5 is the most advanced AI yet—but not everyone is happy. Here’s why some users prefer GPT-4o’s style, what Sam Altman says about fixing it, and how personalization may be the future of AI.

June 2025 Patch Tuesday: 66 Vulnerabilities Fixed, Including Two Zero-Days

Microsoft’s June 2025 Patch Tuesday addresses 66 vulnerabilities, including two zero-days—one actively exploited in the wild. Critical updates affect Office, SharePoint, WebDAV, and core Windows services.

List of Common Potentially Unwanted Programs (PUPs)

Potentially unwanted programs (PUPs) may seem harmless at first, but they often bring adware, trackers, or performance issues. In this post, we explore popular PUPs to watch out for and how to avoid installing them accidentally.

Microsoft May 2025 Patch Tuesday – Overview and Analysis

Microsoft's May 2025 Patch Tuesday delivers crucial security updates for 71 vulnerabilities, including five zero-days actively exploited in the wild. This month’s patch spans across major products like Windows, Azure, and Visual Studio, strengthening defenses against Remote Code Execution (RCE) and Elevation of Privilege (EoP) vulnerabilities.

Microsoft’s April 2025 Patch Tuesday: 121 Vulnerabilities Patched, Including One Zero-Day Exploited in the Wild

Microsoft's April 2025 Patch Tuesday addresses 121 vulnerabilities, including a zero-day actively exploited. Critical RDP and LDAP flaws highlight the urgency of this month's security updates.

March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, Including 7 Zero-Days

Microsoft's March 2025 Patch Tuesday delivers security updates for 57 vulnerabilities, with 7 zero-day flaws, including 6 that are actively exploited. Critical bugs affect components like NTFS, Microsoft Access, and Windows Server, highlighting the urgent need to apply these patches.

OpenAI Releases GPT-4.5

OpenAI has unveiled GPT-4.5, a major leap in AI technology. This new model improves accuracy, reasoning, and natural interaction, making it more reliable for tasks like writing, coding, and research. Learn how GPT-4.5 is shaping the future of AI.