Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce

Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and Mandiant said in an updated advisory. The tech giant said the attackers also used stolen OAuth tokens to access email from a small number of Google Workspace email accounts on August 9, 2025, after compromising the OAuth tokens for the "Drift Email" integration. It's worth noting that this is not a compromise of Google Workspace or Alphabet itself. "The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer's Workspace domain," Google added. Following the discovery, Google said it notified impacted users, revoked the specific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between Google Workspace and Salesloft Drift amid ongoing investigation into the incident. The company is also urging organizations using Salesloft Drift to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for…Read More