
Hold on to your hats, folks! A recent security snafu involving Salesloft and Drift has the tech world buzzing. Turns out, a data theft campaign initially targeting Salesforce integrations has broader implications, potentially compromising Google Workspace accounts and other linked systems. It’s a wild ride, so buckle up!
The Lowdown on the Salesloft/Drift Debacle
Google's Threat Intelligence Group (GTIG) dropped a bombshell, warning of a large-scale data theft campaign by the criminal group UNC6395. Initially, the attacks appeared to affect Salesforce instances connected to Salesloft Drift. However, new analysis shows that other systems connected to Salesloft Drift are also at risk. All authentication tokens associated with the Drift platform must be considered compromised. Between August 8 and at least August 18, 2025, members of UNC6395 systematically copied large amounts of data from Salesforce instances of companies. To do so, they gained access using compromised OAuth tokens originating from the AI platform Salesloft Drift.
The Expanding Scope: It's Not Just Salesforce Anymore
What started as a targeted assault on Salesloft has ballooned into a widespread campaign, where hackers impersonated legitimate users to siphon data from third-party platforms. According to reports, the attackers used the stolen credentials to access not just CRM data but also email contents, expanding the scope beyond what was initially disclosed. The scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations.
How Did They Do It? OAuth Token Shenanigans
These threat actors stole OAuth tokens from Salesloft’s Drift, a tool used for sales engagement and customer relationship management. These tokens were then leveraged to infiltrate connected services, including Salesforce instances and, alarmingly, select Google Workspace email accounts. The attackers’ strategy involved compromising Salesloft’s Drift OAuth tokens, which granted them persistent access to integrated apps without needing direct passwords. This allowed unauthorized queries to Salesforce APIs and Workspace inboxes, potentially exposing customer records, emails, and proprietary information.
The Aftermath: What’s Being Done?
Google swiftly revoked all compromised tokens and disabled affected integrations, a move that Salesforce mirrored to contain the damage. Salesloft notified customers who manage their own Drift connections to third-party applications via API keys to revoke these keys and reconnect using new keys.
Lessons Learned: Time for a Security Overhaul
This breach serves as a stark reminder of the perils in third-party integrations. OAuth tokens, while efficient, lack robust revocation mechanisms in many setups, allowing attackers to maintain access post-compromise. To mitigate future risks, experts recommend adopting zero-trust models that verify every access request, regardless of origin. Organizations should audit all connected apps and implement multi-factor authentication more stringently. Google’s advisory stresses treating all Salesloft-linked tokens as compromised and rotating them immediately.
My Two Cents
Let’s be real, this whole situation is a bit of a mess. The fact that a breach in one platform can cascade into others highlights the interconnectedness—and potential vulnerabilities—of modern cloud ecosystems. I think the industry needs to take a long, hard look at OAuth security and implement more robust safeguards. Otherwise, we’re just playing whack-a-mole with these breaches.
Wrapping Up: Stay Vigilant, Folks!
So, there you have it. The Salesloft/Drift data theft campaign is a wake-up call for anyone relying on cloud integrations. Keep those security protocols tight, stay informed, and maybe double-check those third-party connections. After all, in the world of cybersecurity, paranoia is just good sense. Stay safe out there!