Full Report
Google reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access Google Workspace email accounts in addition to Salesforce data. [...]
Analysis Summary
# Incident Report: Salesloft Breach Impacts Google Workspace via Compromised OAuth Tokens
## Executive Summary
Attackers, tracked as UNC6395, initially compromised customer Salesforce instances integrated with Salesloft Drift by leveraging stolen OAuth tokens. The incident scope later expanded, revealing that stolen OAuth tokens for the "Drift Email" integration were also used to access a small subset of directly integrated Google Workspace email accounts. Response involved token revocation, disabling integrations, and advising all Salesloft customers to treat all platform-connected tokens as compromised.
## Incident Details
- Discovery Date: August 26, 2025 (Initial disclosure)
- Incident Date: At least August 9, 2025 (When Google Workspace access occurred)
- Affected Organization: Salesloft (Primary integration target), Customers using Salesloft/Drift integrated with Salesforce and Google Workspace.
- Sector: Technology/SaaS
- Geography: Not specified, assumed global customers.
## Timeline of Events
### Initial Access
- Date/Time: Sometime prior to August 26, 2025.
- Vector: Compromise of OAuth tokens associated with Salesloft Drift integrations.
- Details: Threat actors stole OAuth tokens for both the Salesforce integration and the Drift Email integration.
### Lateral Movement
- Date/Time: Starting on or around August 9, 2025 (for Workspace access).
- Vector: Utilization of stolen **Salesforce access tokens**.
- Details: Threat actors executed queries against Salesforce objects (Cases, Accounts, Users, Opportunities) to search for sensitive data like AWS keys, Snowflake tokens, and passwords.
### Data Exfiltration/Impact
- Date/Time: Starting on or around August 9, 2025.
- Details: Data theft from Salesforce instances (support tickets, messages). Access to a "very small number" of directly integrated Google Workspace email accounts via compromised Drift Email OAuth tokens. Sensitive secrets found during scanning could lead to secondary breaches.
### Detection & Response
- Date/Time: August 26, 2025 (Initial disclosure).
- Details: Google Threat Intelligence (Mandiant) identified the compromise. Affected customers were notified. Google revoked stolen tokens and disabled the Salesloft Drift Email integration with Google Workspace pending investigation. Salesforce disabled Drift integrations with Salesforce, Slack, and Pardot.
## Attack Methodology
- Initial Access: Compromise/theft of **OAuth tokens** associated with Salesloft Drift integrations (Salesforce and Drift Email).
- Persistence: Maintained via the validity of the stolen OAuth tokens.
- Privilege Escalation: Not explicitly detailed, but the access enabled querying sensitive Salesforce information.
- Defense Evasion: Not detailed, but the use of legitimate OAuth tokens implies standard application authorization mechanisms were bypassed or abused.
- Credential Access: Implicit via data exfiltration from scanned support tickets and messages (e.g., AWS keys, passwords found).
- Discovery: Execution of queries against Salesforce tables (`Cases`, `Accounts`, `Users`, `Opportunities`) to map and locate sensitive data.
- Lateral Movement: Gained access to customer Salesforce instances and external cloud accounts potentially via harvested secrets.
- Collection: Scanning customer support tickets and messages for sensitive configuration data and secrets.
- Exfiltration: Data theft from Salesforce environments and unauthorized viewing of a small number of Google Workspace emails.
- Impact: Exposure of sensitive cloud configuration data and credentials, potential secondary breaches, and unauthorized access to email content.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Sensitive information including AWS access keys, Snowflake tokens, and passwords potentially stolen from Salesforce environments. Access to email content for a small number of Workspace users.
- Operational: Disruption to Salesloft customers; Salesforce disabled major integrations (Salesforce, Slack, Pardot) pending investigation. Google disabled the Drift Email integration.
- Reputational: Negative impact on Salesloft and Google Workspace trust due to the expanded scope of the breach.
## Indicators of Compromise
- Network indicators: *None listed (Defanged).*
- File indicators: *None listed.*
- Behavioral indicators: Unauthorized query execution within customer Salesforce environments; Use of compromised "Drift Email" OAuth tokens to access Workspace mailboxes.
## Response Actions
- Containment measures: Stolen OAuth tokens were revoked by Google. Salesforce disabled Drift integrations with Salesforce, Slack, and Pardot. Google disabled the Drift Email integration with Google Workspace.
- Eradication steps: *Not explicitly detailed beyond token revocation.*
- Recovery actions: Customers using relevant Salesloft integrations were advised to treat all associated authentication tokens as compromised, requiring immediate rotation of credentials across connected systems.
## Lessons Learned
- Third-party integration security is a critical, high-risk area, often acting as a pivot point for supply chain attacks.
- Comprehensive scope assessment (including verifying which services utilize the compromised tokens) is vital after initial discovery.
- Relying solely on OAuth tokens, even for integrated services, requires strict monitoring as their compromise can lead to broad, unintended access.
## Recommendations
- All organizations using Salesloft Drift must immediately revoke and rotate **all** authentication tokens stored in or connected to the Drift platform, checking all connected applications (Salesforce, Workspace, etc.).
- Conduct thorough audits on all third-party integrations connected to critical platforms (Salesforce, Google Workspace) specifically searching for exposed secrets or credentials within accessible data stores (like support tickets).
- Implement stronger access controls or more granular permissions (Principle of Least Privilege) for third-party OAuth applications.