Attackers leveraged compromised OAuth tokens associated with Salesloft Drift to access Salesforce instances and, in a small number of cases, Google Workspace email accounts configured with the "Drift Email" integration on August 9, 2025. All Salesloft Drift integrations and stored authentication tokens should be treated as potentially compromised. Google revoked affected OAuth tokens, disabled the Google Workspace–Salesloft Drift integration, and notified impacted users. Organizations are urged to review all third-party integrations connected to Drift, revoke and rotate credentials, and investigate connected systems for unauthorized access. The activity cluster UNC6395 is linked to the campaign observed from August 8–18, 2025.
"We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and Mandiant said in an updated advisory.
Following the discovery, Google said it notified impacted users, revoked the specific OAuth tokens granted to the "Drift Email" application, and disabled the integration functionality between Google Workspace and Salesloft Drift amid ongoing investigation into the incident. The company is also urging organizations using Salesloft Drift to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.
The broadening of the attack radius comes shortly after Google exposed what it described as a widespread and opportunistic data theft campaign that allowed the threat actors, an emerging activity cluster dubbed UNC6395, to leverage compromised OAuth tokens associated with Salesloft Drift to target Salesforce instances from August 8 to 18, 2025.
Collection
[
|
...
]