- Google disclosed a broad attack affecting Salesforce instances through Salesloft Drift integrations.
- All authentication tokens connected to Drift are considered potentially compromised, according to Google’s advisory.
- Attackers used stolen OAuth tokens to access some Google Workspace email accounts connected to Drift.
- Google revoked affected tokens and disabled integrations, urging organizations to review and secure third-party connections.
- Salesloft said there is no evidence Salesloft integrations themselves were compromised, but all Salesloft integrations with Salesforce are temporarily disabled.
Google reported that attackers have targeted Salesforce accounts using the Salesloft Drift integration, affecting all related integrations as of August 2025. The company identified this as a widespread security incident and alerted affected users.
The breach allowed attackers to obtain OAuth tokens—digital “keys” that help applications access data without sharing passwords—from Drift’s platform. These stolen tokens were then used to access a small number of Google Workspace email accounts on August 9, 2025. According to an advisory from Google’s Threat Intelligence Group and Mandiant, the issue did not compromise Google Workspace or Alphabet systems directly.
Google said, “We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” The company notified those affected, revoked the specific Drift Email OAuth tokens, and suspended integration features between Google Workspace and Salesloft Drift pending further investigation.
In a further step, Google called for all organizations using Salesloft Drift to check third-party integrations, revoke and update credentials, and look for signs of unauthorized activity across their systems. The company linked the attacks to the threat group “UNC6395,” which it said had targeted Salesforce accounts using compromised tokens from August 8 to 18, 2025, as described in their updated advisory.
Salesloft posted updates about the incident, noting that Salesforce temporarily disabled the Drift integration with Salesforce, Slack, and Pardot, eventually deciding to suspend all Salesloft integrations with Salesforce for safety. Salesloft stated, “Based on the investigation to date, there is no evidence of malicious activity detected in the Salesloft integrations related to the Drift incident. Additionally, at this time, there are no indications that the Salesloft integrations are compromised or at risk.” You can find full statements in their initial update and follow-up notice.
Google recommends organizations take immediate action to secure credentials, audit integrations, and monitor for suspicious access across platforms. Salesforce has additional guidance available on its status page.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bitcoin Falls 10% After All-Time High; Rate Cut Hopes Loom
- Luxxfolio Pivots to Litecoin Treasury, Seeks $100M Amid Losses
- Bitcoin Miners Sell $485M BTC, Network Stays Robust Amid Uncertainty
- XRP Eyes $5 After Seven-Year Wait for $3 Mark, Bulls Optimistic
- Tether to End Bitcoin Omni USDT, Eyes New Lightning Protocols
