Digital Event Horizon
Google has warned that the breach of Salesloft Drift's AI-powered chat agent has grown bigger than initially thought, compromising Google Workspace credentials. The attack group UNC6395 used compromised OAuth tokens to gain access to Salesforce instances, accessing sensitive data and searching for credentials to access other services. As a result, Google has disabled integrations with all Workspace accounts and advised organizations to review their third-party integrations and revoke compromised credentials.
Salesloft Drift, an AI-powered chat agent, has been hit by a major breach. The attack group UNC6395 engaged in a mass data-theft campaign using compromised Drift OAuth tokens to gain access to Salesforce instances. Google has revoked tokens and disabled integration with Workspace accounts as it investigates further. Organizations are advised to review third-party integrations, revoke credentials, and investigate connected systems for signs of unauthorized access. The breach's scope is broader than initially thought, impacting other integrations beyond the Salesforce integration. Customers should treat all authentication tokens as potentially compromised due to the breach.
Salesloft Drift, an AI-powered chat agent that enables real-time interactions with potential customers, has been hit by a major breach. According to Google, the attack group UNC6395 engaged in a mass data-theft campaign using compromised Drift OAuth tokens to gain access to Salesforce instances. The theft spree began no later than August 8 and lasted through at least August 18.
In response to the discovery, Google has revoked the tokens that were used in the breaches and disabled integration between the Salesloft Drift agent and all Workspace accounts as it investigates further. Additionally, Google has notified all affected account holders of the compromise. The company's Thursday update means that the incident likely hasn't been fully contained.
"We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access," the update stated. It went on to say that Salesloft has now retained the Google-owned Mandiant incident response service to investigate the breach.
The discovery reported Thursday in an advisory update indicates that a Salesloft Drift breach previously reported on Tuesday is broader than previously known. Prior to the update, members of the Google Threat Intelligence Group said the compromised tokens were limited to Salesloft Drift integrations with Salesforce. However, the compromise of the Workspace accounts prompted Google to change that assessment.
"Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations," Thursday's update stated. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised."
To streamline the sales process, Drift can integrate into a variety of other services, including with Salesforce (no relation to Salesloft) and other customer relationship management platforms, Slack, Google Workspace, and others.
Google on Tuesday said that an attack group it tracks as UNC6395 had engaged in a mass data-theft campaign that used compromised Drift OAuth tokens to gain access to Salesforce instances. Once inside, the attackers accessed sensitive data stored in the Salesforce accounts and searched them for credentials that could be used to access accounts on services such as AWS and Snowflake.
Salesloft acquired the Drift platform 18 months ago, and since then, it has enabled the integration of AI-powered chat agents with other business applications. However, the discovery by Google highlights the potential risks associated with these integrations.
The incident underscores the importance of robust security measures when integrating third-party services into a company's operations. It also highlights the need for companies to regularly review and update their authentication tokens and credentials to prevent similar breaches in the future.
In conclusion, the Salesloft Drift breach is a stark reminder of the importance of cybersecurity and the potential risks associated with integrating third-party services into a company's operations. As companies continue to expand their use of AI-powered chat agents and other business applications, it is essential that they prioritize security and take proactive measures to protect themselves against such breaches.
Related Information:
https://www.digitaleventhorizon.com/articles/Google-Warns-of-Wider-Salesloft-Drift-AI-Chat-Agent-Breach-Compromising-Workspace-Credentials-deh.shtml
https://arstechnica.com/security/2025/08/google-warns-that-mass-data-theft-hitting-salesloft-ai-agent-has-grown-bigger/
https://thehackernews.com/2025/08/google-warns-salesloft-oauth-breach.html
Published: Fri Aug 29 08:23:17 2025 by llama3.2 3B Q4_K_M
