Google: Salesloft Drift breach bigger than expected

Google and Mandiant warned that the recent Salesloft Drift OAuth breach is broader than first thought, affecting all Drift integrations, not just Salesforce. Attackers stole OAuth tokens and, in some cases, accessed Salesforce data and even a small number of Google Workspace mailboxes tied specifically to Drift’s email integration. Google revoked affected tokens and disabled its Drift integration, urging organisations to review connected apps, revoke/rotate credentials, and hunt for suspicious access.
Multiple companies disclosed impact: Zscaler (customer contact details and some support-case text), Palo Alto Networks (business contact and CRM case data), plus confirmations from Cloudflare, PagerDuty, SpyCloud, and Tanium. Cloudflare said it found and rotated 104 exposed API tokens. Okta blocked an attempt thanks to IP allowlisting and DPoP. Google tracks the actor as UNC6395; activity dates cluster around 8–18 August 2025.

Google has waved a rather large red flag over the Salesloft Drift OAuth incident, saying it reaches beyond Salesforce and may touch any integration connected to Drift. In short: if you’ve granted Drift access, treat those tokens as if someone’s had a rummage.

What actually happened?
Attackers pinched OAuth tokens tied to the Drift platform. Using those, they could peek into connected systems—primarily Salesforce, but in a few cases Google says Workspace email was accessed where the Drift email integration was in play. Google’s response was swift: revoke tokens, disable the integration, notify impacted users.

Who’s put their hand up?
A growing list of firms have confirmed some exposure, including Zscaler and Palo Alto Networks (CRM/contact data and support-case info). Cloudflare rotated 104 API tokens found in the mix; PagerDuty, SpyCloud, and Tanium also reported impact. Okta says its defences held thanks to IP allowlisting and DPoP—a good advert for layered controls.

Why you should care
OAuth tokens are the keys to your SaaS kingdom. Once lifted, they can be replayed to access data until you revoke and rotate them. This campaign—tracked as UNC6395—shows how one weak link in the integration chain can open several doors.

What to do now (practical steps)
• Audit Drift integrations: list every connected app, environment, and account.
• Revoke & rotate: kill existing Drift grants and rotate any related API tokens/keys.
• Hunt for misuse: check Salesforce objects (Account/Contact/Case/Opportunity) and mailboxes tied to Drift for unusual access, downloads, and token usage.
• Tighten ingress: enforce IP allowlists and consider DPoP/MTLS where available.
Monitor continuously: set detections for OAuth grant creation, token abuse, and large CRM exports.