Google now experiences that the Salesloft Drift breach is bigger than initially thought, warning that attackers additionally used stolen OAuth tokens to entry a small variety of Google Workspace electronic mail accounts along with stealing knowledge from Salesforce cases.
“Primarily based on new data recognized by GTIG, the scope of this compromise is just not unique to the Salesforce integration with Salesloft Drift and impacts different integrations,’ warns Google.
“We now advise all Salesloft Drift prospects to deal with any and all authentication tokens saved in or related to the Drift platform as doubtlessly compromised.”
The marketing campaign, tracked by Google Menace Intelligence (Mandiant) as UNC6395, was first disclosed on August 26 after attackers stole OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce. The risk actors used these tokens to achieve entry to buyer Salesforce cases, the place they executed queries towards Salesforce objects, together with the Instances, Accounts, Customers, and Alternatives tables.
This knowledge allowed the attackers to scan buyer help tickets and messages for delicate data, reminiscent of AWS entry keys, Snowflake tokens, and passwords that may very well be used to breach additional cloud accounts, seemingly for future extortion.
In an replace revealed at this time, Google confirmed that the compromise was extra important than initially believed and never restricted to Salesforce integrations.
The investigation revealed that OAuth tokens for the “Drift Electronic mail” integration had been additionally compromised, and on August 9, the risk actors utilized them to entry the e-mail of a “very small quantity” of Google Workspace accounts that had been instantly built-in with Drift.
Google emphasised that no different accounts in these domains had been impacted and that there was no compromise of Google Workspace or Alphabet itself.
The stolen tokens have since been revoked, and prospects have been notified. Google additionally disabled the combination between Salesloft Drift Electronic mail and Google Workspace whereas they examine the breach.
Google is now urging all organizations utilizing Drift to deal with each authentication token saved in or related to the platform as compromised. This warning advises prospects to revoke and rotate credentials for these purposes and examine all related techniques for indicators of unauthorized entry.Â
The corporate additionally recommends reviewing all third-party integrations related to Drift cases, trying to find uncovered secrets and techniques, and resetting any discovered credentials in case they’ve been compromised.
Salesloft additionally up to date its advisory on August 28, stating that Salesforce has disabled Drift integrations with Salesforce, Slack, and Pardot till an investigation is accomplished.
The corporate has now engaged Mandiant and Coalition to help with this investigation.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
