Major OAuth Breach Hits Salesloft Drift: Google Warns All Integrations at Risk

A recent cybersecurity incident has sent shockwaves through the sales automation and email integration world. Google has confirmed that the Salesloft Drift OAuth breach is far more widespread than initially believed, affecting multiple integrations—not just Salesforce. Security experts from Google Threat Intelligence Group (GTIG) and Mandiant are urging all users to treat connected authentication tokens as potentially compromised, highlighting the urgent need for credential rotation and system audits.

Overview of the Breach

On August 9, 2025, attackers exploited stolen OAuth tokens to access a limited number of Google Workspace emails via the Drift Email integration. Google clarified that Workspace itself was not compromised, and only accounts linked to Salesloft integrations were at risk. However, GTIG’s latest findings indicate that this breach extends beyond Salesforce, impacting other connected applications as well. Google and Mandiant now advise all Salesloft Drift users to assume any OAuth token connected to the platform could have been compromised.

The threat actor, identified as UNC6395, conducted a large-scale data exfiltration campaign from August 8–18, 2025. By leveraging OAuth tokens, the attacker systematically accessed Salesforce data, including sensitive corporate information such as AWS access keys (AKIA), Snowflake tokens, and other credentials. Google confirmed that the actor also deleted query jobs to evade detection, a tactic that suggests a high degree of operational sophistication.

Salesloft responded by revoking all Drift–Salesforce connections on August 20, 2025, emphasizing that non-Salesforce users were unaffected. Admins are being asked to re-authenticate integrations, rotate credentials, and review system logs for suspicious activity. Salesforce, working with Salesloft, also revoked tokens, removed the Drift app from AppExchange, and notified affected customers. Despite these measures, the full scale of the breach remains uncertain.

What Undercode Say:

The Salesloft Drift OAuth breach represents a clear example of the risks inherent in third-party integrations within enterprise systems. OAuth tokens are essentially keys that grant applications access to sensitive data. When stolen, these keys allow attackers to bypass traditional authentication methods and access a wealth of information across platforms like Salesforce and Google Workspace. The UNC6395 campaign highlights not just opportunistic hacking but a coordinated effort targeting critical sales automation infrastructure.

Organizations must understand that the breach is not limited to email or Salesforce data; any service integrated via OAuth could potentially be exploited. Immediate remediation steps are essential:

Revoke and rotate all OAuth tokens: Treat every token connected to Salesloft Drift as compromised.
Audit system logs and access patterns: Look for abnormal behavior, deleted query jobs, and unusual API calls.
Assess sensitive credentials: Identify if AWS, Snowflake, or other API keys were accessed or exfiltrated.
Enhance internal security protocols: Multi-factor authentication, conditional access policies, and least-privilege principles should be enforced rigorously.

This incident underscores the importance of vendor risk management. Businesses increasingly rely on third-party SaaS platforms for automation, but integration points are often weak links. The ability of UNC6395 to move laterally and extract sensitive credentials demonstrates a concerning escalation in cyberattack sophistication, emphasizing that robust monitoring, timely token revocation, and rapid response planning are now critical components of cybersecurity strategy.

Organizations should also consider continuous OAuth monitoring solutions and anomaly detection tools. Even a small breach can cascade into massive exposure when attackers gain access to interconnected enterprise systems. It’s also a reminder that transparency and timely communication from vendors are critical for mitigating damage—Google and Salesloft’s proactive notifications are examples of best practices.

🔍 Fact Checker Results:

✅ Google confirmed OAuth breach impacted multiple integrations, not just Salesforce.
✅ Only accounts linked to Salesloft integrations were at risk; Workspace itself was not compromised.
❌ Claims that all Google Workspace accounts were accessed are incorrect—scope was limited.

📊 Prediction:

This breach will likely trigger stricter security protocols across enterprise SaaS platforms, particularly regarding OAuth token management. Companies may implement automated token rotation, granular access controls, and more frequent audits of third-party integrations. We can expect accelerated adoption of Zero Trust security frameworks to mitigate risks from OAuth token theft and prevent similar campaigns in the future.

The Salesloft Drift incident serves as a cautionary tale: as businesses increasingly rely on interconnected applications, every integration is a potential attack vector. Vigilance, rapid response, and continuous monitoring are no longer optional—they are essential.