Google Uncovers Massive Salesloft Drift Security Breach Shaking Salesforce Ecosystem

Listen to this Post

Featured Image

Introduction

Cybersecurity threats are evolving at an alarming pace, and the latest revelation from Google proves just how deeply attackers can infiltrate trusted platforms. In a shocking update, Google has confirmed that the recent wave of attacks linked to Salesloft Drift integrations is far broader than initially believed. What started as a suspected breach targeting limited Salesforce instances has now escalated into a full-blown crisis, with potential consequences for countless businesses relying on these integrations.

The Full Story of the Breach

Google, in partnership with Mandiant, revealed that attackers exploited vulnerabilities in Salesloft Drift integrations, leading to the theft of OAuth tokens. These tokens are crucial keys that grant applications secure access without repeatedly requiring login credentials — meaning once stolen, they can unlock sensitive systems with ease.

The scope of this attack is massive:

All Salesloft Drift customers are affected. Google strongly advises treating every authentication token tied to Drift as compromised.
OAuth tokens were abused to infiltrate Google Workspace accounts. On August 9, 2025, attackers gained access to a small number of Workspace email accounts linked to Drift’s email integration. Importantly, Google stressed this was not a breach of Workspace itself but limited to customers who had integrated Drift.
Google acted swiftly. Affected users were notified, OAuth tokens were revoked, and integration between Workspace and Drift was disabled while investigations continue.
The attacker group, UNC6395, is behind the campaign. Between August 8–18, they targeted Salesforce instances, exploiting stolen OAuth tokens to carry out opportunistic data theft.
Salesloft’s counteraction. In response, Salesforce disabled Drift integrations across Salesforce, Slack, and Pardot. Salesloft clarified that no malicious activity had been detected within their integrations so far, but as a precaution, Salesforce temporarily disabled all Salesloft integrations.

Google and Mandiant’s warning underscores a chilling truth: attackers are no longer just breaching single applications — they are exploiting the interconnected nature of enterprise platforms to maximize damage.

What Undercode Say:

The Salesloft Drift breach highlights a new era of cybersecurity risks where trust chains between integrated platforms become weak points. Let’s break down the core takeaways and deeper implications:

OAuth Tokens Are the New Goldmine

Stolen tokens act like permanent backstage passes. Unlike stolen passwords, tokens often don’t expire immediately, giving attackers prolonged access. This incident proves that OAuth token theft is becoming one of the most dangerous threats in enterprise IT.

Why Salesforce Was Targeted

Salesforce is a treasure trove of customer data — from leads and sales pipelines to communication logs. By hijacking Drift integrations, attackers gained indirect access, bypassing direct Salesforce defenses. This kind of integration exploitation could set a precedent for future attacks.

The Ripple Effect on Businesses

The impact goes beyond Salesforce. With Slack and Pardot integrations temporarily shut down, businesses relying on Salesloft for workflows face disruptions. These outages may lead to lost sales opportunities, delayed communications, and damaged trust with customers.

UNC6395: The Emerging Threat Actor

This cluster of attackers is still being studied, but their precision suggests strong technical expertise. Their opportunistic campaign from August 8–18 shows they’re not just probing — they’re executing calculated, large-scale thefts.

Google’s Swift Containment Measures

Revoking OAuth tokens and disabling integrations was a necessary emergency move. However, this highlights a broader concern: how many other integrations across industries might already be compromised without detection?

Salesloft’s Position

While Salesloft insists no direct malicious activity has been detected in its integrations, the optics are damaging. Even without concrete evidence of further compromise, businesses will now hesitate to fully trust Salesloft’s security assurances.

Lessons for Organizations

Regularly audit third-party integrations.

Rotate and revoke credentials frequently.

Implement stricter monitoring on token activity.

Assume that integration points are high-value targets.

Bigger Picture: Supply Chain Cybersecurity

This attack is part of a growing trend where cybercriminals focus on supply chain vulnerabilities — instead of attacking big platforms head-on, they exploit smaller, integrated services as gateways.

Long-Term Implications

We may soon see regulatory pushback, with governments demanding stricter transparency and compliance from SaaS vendors about integration security. Companies that fail to meet higher standards may face financial and reputational consequences.

✅ Fact Checker Results

Google confirmed attackers stole OAuth tokens through Drift integrations.

The attack did not compromise Google Workspace or Alphabet directly.
Salesforce integrations were disabled as a precaution, not because of confirmed exploitation.

🔮 Prediction

This breach could mark the beginning of widespread token-theft-driven cyberattacks across SaaS ecosystems. In the coming year, we may see:

A surge in attacks exploiting OAuth and API tokens.

More companies disabling third-party integrations until security hardening improves.

Regulatory bodies stepping in to enforce stricter security audits for SaaS vendors.

Businesses that fail to adapt quickly risk becoming the next headline in this growing cybersecurity crisis.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon