US EditionGoogle Warns that Mass Data Theft Hitting Salesloft AI Agent Has Grown Bigger
Threat actor UNC6395 exploited OAuth tokens from Salesloft Drift to exfiltrate data from over 700 Salesforce instances and some Google Workspace accounts, prompting token revocations and security advisories.
- On August 29, 2025, Google disclosed that a cyberattack on Salesloft's Drift AI agent compromised OAuth tokens across multiple integrations, including Salesforce and Google Workspace.
- The attack began around August 8 and lasted about ten days, with threat actor UNC6395 stealing tokens through Salesloft Drift and accessing Salesforce data and some Google Workspace emails.
- Salesloft confirmed the breach on August 25, revoked all Drift-linked OAuth tokens by August 20, pulled Drift from AppExchange, and advised customers to treat all related tokens as compromised.
- Austin Larsen of GTIG said over 700 organizations might be impacted, while Cory Michal and Pingree highlighted the attack's operational discipline and automation enabling large-scale data exfiltration.
- Google disabled the Drift integration, revoked tokens, notified affected users, urged credential rotation and audits, and warned that stolen credentials could fuel future supply-chain or ransomware attacks.
15 Articles
15 Articles
Google warns that mass data theft hitting Salesloft AI agent has grown bigger
Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. In response, Google has revoked the tokens that were used in the breaches and disabled integration between the Salesloft Drift agent and all Workspace accounts as it investigates further. The c…
Salesloft Drift Breach: Hackers Steal OAuth Tokens from Salesforce, Google, AWS
In the rapidly evolving world of cybersecurity, a recent breach involving Salesloft’s Drift platform has sent shockwaves through the tech industry, exposing vulnerabilities in interconnected cloud services. Google has issued warnings that the attack, initially thought to target Salesforce integrations, may have broader implications, potentially compromising Google Workspace accounts and other linked systems. This incident underscores the risks o…
Salesloft Drift Breach Hits All Integrations - Cybernoz - Cybersecurity News
Google: Salesloft Drift breach hits all integrations Pierluigi Paganini August 29, 2025 Google warns that Salesloft Drift OAuth breach affects all integrations, not just Salesforce. All tokens should be treated as compromised. Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used…
Google Warns Salesloft OAuth Breach Extends Beyond Salesforce, Impacting All Integrations
Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
