Google has broadened its warning about a mass data-theft campaign tied to the Salesloft Drift AI chat agent, advising all customers to treat any authentication tokens connected to the platform as potentially compromised after attackers used some credentials to access email from Google Workspace accounts.
Google widens scope and revokes tokens
According to Ars Technica, Google said unknown attackers used compromised Drift OAuth tokens to access Google Workspace email, prompting the company to revoke the tokens involved and disable integration between Salesloft Drift and all Workspace accounts while the investigation continues. Google has notified affected account holders.
In a Thursday advisory update, Google’s Threat Intelligence Group said the incident is broader than initially assessed. Earlier in the week, compromised tokens were believed to be limited to Drift integrations with Salesforce. The new findings indicate other integrations are impacted, leading Google to advise all Salesloft Drift customers to consider any tokens stored in or connected to the Drift platform as potentially compromised.
Guidance and ongoing response
Google recommended organizations review third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate connected systems for signs of unauthorized access. Salesloft has retained the Google-owned Mandiant incident response service to investigate the breach.
Salesforce impact and vendor responses
Earlier, Google reported that an attack group it tracks as UNC6395 conducted a mass data-theft campaign using compromised Drift OAuth tokens to access Salesforce instances. Once inside, the attackers accessed sensitive data stored in Salesforce and searched for credentials usable on services such as AWS and Snowflake. The campaign began no later than August 8 and continued through at least August 18.
In response to the discovery, Salesforce disabled Drift integrations with its main cloud service as well as its Slack and Pardot platforms. Google’s latest update signals the incident has expanded beyond Salesforce to additional integrations, including Google Workspace.
Salesloft’s publicly available security guidance page, as of Thursday, continued to indicate the breach affected only Drift integrations with Salesforce. Company representatives did not immediately respond to an email seeking confirmation of Google’s updated findings, Ars Technica reported. Salesloft acquired the Drift platform 18 months ago, and Drift integrates with services including Salesforce, other CRM platforms, Slack, and Google Workspace to enable real-time, human-like interactions for sales processes.
