Full Report
Researchers said Google Workspace customers were hit, and noted other platforms are impacted as well. Fresh evidence proves impact was not limited to Salesforce, as Salesloft previously claimed. The post Salesloft Drift compromised en masse, impacting all third-party integrations appeared first on CyberScoop.
Analysis Summary
# Incident Report: Widespread Compromise via Salesloft Drift Integration Breach
## Executive Summary
A significant security incident originated from a compromise within the Salesloft Drift AI chat agent platform, leading to a massive downstream impact across all third-party integrations utilized by affected organizations. Threat actors, tracked as UNC6395, leveraged stolen OAuth tokens to access data within connected services, including Google Workspace and Salesforce instances, resulting in credential theft and potential data exfiltration across potentially hundreds of organizations. Response actions involved Mandiant and Google actively investigating, and Salesloft/Salesforce recommending or executing the revocation of API keys and disabling of specific integrations to contain the spread.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the scope expansion was publicly noted around August 28, 2025.
- **Incident Date:** Occurred prior to the public disclosure around August 28, 2025.
- **Affected Organization:** Salesloft Drift customers, specifically impacting organizations using integrations with platforms like Google Workspace and Salesforce.
- **Sector:** Technology, Sales, CRM/Automation (Affecting users across multiple sectors based on Salesloft's clientele).
- **Geography:** Global, given the wide user base of Salesloft Drift and impacted platforms like Google Workspace.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Unknown root cause leading to the compromise of the Salesloft Drift platform.
- **Details:** Threat actors gained access leading to the ability to steal OAuth tokens from the Drift environment.
### Lateral Movement
- **Vector:** Attackers utilized the stolen OAuth tokens from Salesloft Drift integrations.
- **Details:** Used to access connected third-party services, including Google Workspace and Salesforce customer environments.
### Data Exfiltration/Impact
- **Impact:** Attackers accessed emails from a small number of Google Workspace accounts and sought to steal credentials for other systems, specifically targeting AWS access keys, VPN credentials, and Snowflake credentials from victim environments.
- **Scope:** Initially thought limited to Salesforce customers, the scope expanded to potentially any platform integrated with Salesloft Drift (vendors report 58 integration points). Over 700 organizations are potentially impacted.
### Detection & Response
- **Detection:** Detected by researchers, including Google Threat Intelligence Group (GTIG) and Mandiant, identifying the breach's expanded scope beyond initial claims.
- **Response Actions:** Salesloft engaged Mandiant and Coalition. Salesforce disabled the connection between Drift and Salesforce. Salesloft recommended all customers using API key connections revoke and rotate their existing keys.
## Attack Methodology
- **Initial Access:** Unconfirmed root cause within Salesloft Drift infrastructure.
- **Persistence:** Not detailed, but access was achieved via the compromise of the integration platform's token storage/management.
- **Privilege Escalation:** Not detailed, but implied by the ability to access sensitive data/credentials once inside connected systems via stolen tokens.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Stole OAuth tokens from the Salesloft Drift environment, which were then used on downstream victim systems to look for credentials (AWS keys, VPN, Snowflake).
- **Discovery:** Attacker specifically searched connected systems for other credentials (AWS access keys, VPN credentials, Snowflake credentials).
- **Lateral Movement:** Movement occurred between victim environments connected to Drift via stolen OAuth tokens.
- **Collection:** Gathered OAuth tokens and specific credentials for other infrastructure access.
- **Exfiltration:** Sought to exfiltrate credentials and accessed email data from a small number of Google Workspace accounts.
- **Impact:** Compromise of connected third-party platforms through token misuse, leading to credential theft.
## Impact Assessment
- **Financial:** Not explicitly disclosed, but expected to be significant due to the number of potential victims (700+ organizations).
- **Data Breach:** Credentials for AWS, VPNs, and Snowflake systems, plus email access for a small subset of Google Workspace accounts.
- **Operational:** Salesforce disabled some functionality by disconnecting Drift. Affected organizations needed to revoke and rotate API keys across potentially dozens of integrations.
- **Reputational:** Significant damage to the trust placed in Salesloft Drift and third-party integration security practices.
## Indicators of Compromise
- **Network Indicators:** Not provided (Defanged URLs/IPs not available in the source).
- **File Indicators:** Not provided.
- **Behavioral Indicators:** Use of stolen OAuth tokens from Salesloft Drift to access connected services (Google Workspace, Salesforce instances) while searching for further infrastructure credentials (e.g., AWS keys).
## Response Actions
- **Containment:** Salesforce disabled the connection between Drift and Salesforce. Consulted organizations recommended immediate revocation and rotation of all third-party API keys managed via Drift.
- **Eradication:** Mandiant and Google are currently investigating the root cause, implying eradication hinges on understanding and patching the initial access vector within Salesloft Drift.
- **Recovery:** Organizations are performing mass key rotation across integrated services.
## Lessons Learned
- **Key Takeaways:** Centralized integration platforms (like AI agents managing multiple APIs) represent a single point of failure with massive downstream risk. The scope of third-party compromise is often far wider than initially assessed.
- **What could have been done better:** Secure handling of integration secrets and OAuth tokens within the Salesloft Drift infrastructure was proven inadequate. Faster disclosure of the true scope by Salesloft would have aided broader defense efforts.
## Recommendations
- **Prevention Measures for Similar Incidents:** Implement strict least-privilege policies for all third-party integrations. Utilize short-lived or tokenized credentials instead of long-lived API keys where possible. Conduct supply chain security audits focusing specifically on how vendors manage customer connection secrets (tokens/keys).