Full Report
Google Threat Intelligence Group report a widespread data-theft campaign abusing OAuth tokens tied to Salesloft Drift. Initially observed against Salesforce orgs (Aug 8–18, 2025), the scope now includes other Drift integrations: on Aug 9, a small number of Google Workspace mai...
Analysis Summary
# Incident Report: Widespread Data Theft via Compromised Salesloft Drift OAuth Tokens
## Executive Summary
A widespread data-theft campaign, tracked by Google Threat Intelligence Group, was discovered abusing OAuth tokens specifically tied to the Salesloft Drift integration. The campaign initially targeted Salesforce organizations between August 8–18, 2025, but expanded to include Google Workspace mailboxes accessed via the "Drift Email" integration on August 9, 2025. Response efforts involved joint revocation of tokens and disabling of the affected third-party integrations.
## Incident Details
- Discovery Date: Tracking indicates the campaign ran from Aug 8 to Aug 18, 2025, with discovery likely occurring shortly after Aug 18, 2025, based on the reporting date.
- Incident Date: August 8, 2025 (Initial observation against Salesforce).
- Affected Organization: Multiple Salesforce organizations and an unspecified number of Google Workspace organizations.
- Sector: Technology/CRM/Sales Enablement (Inferred from targeted platforms).
- Geography: Not disclosed, but involves global platforms (Salesforce, Google Workspace).
## Timeline of Events
### Initial Access
- Date/Time: Starting August 8, 2025.
- Vector: Abuse of compromised OAuth tokens tied to the Salesloft Drift integration. The report also notes "Exposed secret" and "Password attack" as initial access methods potentially leading to token compromise.
- Details: Attackers utilized valid, existing OAuth tokens associated with Drift integrations to access connected services.
### Lateral Movement
- Date/Time: August 9, 2025 (Expansion noted).
- Vector: Movement occurred across interconnected services secured by the abused tokens.
- Details: After initial access (likely Salesforce), the scope expanded to include small numbers of Google Workspace mailboxes authenticated through the "Drift Email" integration.
### Data Exfiltration/Impact
- Date/Time: Throughout the August 8–18 window.
- Vector: Data exfiltration.
- Details: Data theft occurred from Salesforce orgs and data access (implied exfiltration) from Google Workspace mailboxes.
### Detection & Response
- Date/Time: After August 18, 2025.
- Vector: Google Threat Intelligence monitoring/reporting.
- Details: Google revoked affected tokens and disabled the Workspace-Drift integration. Salesforce/Salesloft revoked Drift tokens and removed the app from AppExchange.
## Attack Methodology
- Initial Access: Exposed secrets, password attacks, abuse of valid credentials (OAuth tokens).
- Persistence: Maintained through the active, valid OAuth tokens granted to the Salesloft Drift application.
- Privilege Escalation: Not explicitly detailed, but the OAuth scope likely granted necessary permissions for data access.
- Defense Evasion: Utilization of legitimate, pre-authorized OAuth tokens inherently bypasses typical perimeter defenses.
- Credential Access: Implied initial compromise involved obtaining valid credentials or secrets that led to the token issuance/theft.
- Discovery: Not detailed, but access to Salesforce and Workspace implies discovery of accessible data stores.
- Lateral Movement: Movement via the chain of trust established by the Salesloft Drift integration across Salesforce and Google Workspace environments.
- Collection: Accessing data within the connected Salesforce and Google Workspace environments.
- Exfiltration: Data theft from compromised environments.
- Impact: Data exfiltration.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Access to Salesforce data and Google Workspace mailbox data confirmed. Specific volume/type unknown.
- Operational: Potential disruption due to integration revocation.
- Reputational: Potential negative impact due to unauthorized access across major enterprise platforms.
## Indicators of Compromise
*Note: No specific IoCs (IPs, URLs, file hashes) were provided in this summary context, only the root cause mechanism (abused OAuth tokens).*
- Behavioral indicators: Unexpected access patterns or data flows originating from sessions authenticated via the Salesloft Drift application identity.
## Response Actions
- Containment: Google revoked affected tokens. Salesforce/Salesloft revoked Drift tokens.
- Eradication: Salesforce/Salesloft removed the Drift application from AppExchange, preventing future installations.
- Recovery: Organizations advised to revoke and rotate *all* OAuth tokens/API keys/credentials connected to their Drift instance, regardless of the target platform.
## Lessons Learned
- Third-party integration risk is high: A vulnerability or compromise within a single integrated third-party application (Salesloft Drift) can provide broad access across multiple critical services (Salesforce, Google Workspace).
- Token hygiene is critical: Over-permissioning or insufficient lifecycle management of OAuth tokens creates long-lived attack vectors.
## Recommendations
- Audit and minimize third-party integration scope: Review all applications connected to critical systems (Salesforce, Workspace) and ensure scopes granted to OAuth tokens are strictly limited to the minimum required permissions (Principle of Least Privilege).
- Immediate Rotation: Treat any authentication token connected to or originating from Salesloft Drift (or similar integrations) as compromised, and proactively revoke and rotate all associated credentials across all connected platforms.
- Enhanced Monitoring: Implement stricter anomaly detection rules around authentication events originating from known third-party integration identities.