Google Alerts Users: Salesloft Data Breach Affects Certain Workspace Accounts

The recent breach involving Salesloft Drift has been confirmed by Google to be more extensive than initially reported. Attackers exploited stolen OAuth tokens not only to access Salesforce instances but also to infiltrate a limited number of Google Workspace email accounts linked to the Drift platform. Google Threat Intelligence Group (GTIG) has warned that the scope of this compromise extends beyond the Salesforce integration, urging all Salesloft Drift customers to consider any authentication tokens associated with the platform as potentially compromised. The campaign, tracked as UNC6395, was first disclosed on August 26, revealing that attackers executed queries against Salesforce objects, allowing them to extract sensitive information such as AWS access keys and passwords, which could facilitate further breaches.

In an update, Google confirmed that the breach also involved OAuth tokens for the “Drift Email” integration, which were used to access a small number of Google Workspace accounts on August 9. Google reassured users that no other accounts within those domains were affected and that there was no compromise of Google Workspace or Alphabet itself. Following the incident, the stolen tokens have been revoked, and the integration between Salesloft Drift Email and Google Workspace has been disabled pending further investigation. Google has advised organisations using Drift to revoke and rotate credentials for all connected applications and to scrutinise their systems for any signs of unauthorised access. Salesloft has also updated its advisory, stating that Salesforce has disabled Drift integrations with Salesforce, Slack, and Pardot while the investigation continues. 

Categories: Data Breach, OAuth Token Compromise, Security Recommendations 

Tags: Salesloft, Drift, Breach, OAuth, Google Workspace, Salesforce, Compromise, Integration, Authentication, Tokens