The current widespread information theft marketing campaign that hit a whole bunch of Salesforce prospects by their Salesloft Drift integration additionally impacted organizations utilizing Google Workspace, Google Risk Intelligence Group (GTIG) says.
Carried out between August 8 and August 18, 2025, the marketing campaign relied on compromised OAuth tokens for the third-party AI chat bot Salesloft Drift to export massive quantities of information from company Salesforce situations, possible for credential harvesting, GTIG warned on August 26.
The attackers had been seen trying to find AWS entry keys, passwords, Snowflake-related entry tokens, and different delicate data. GTIG attributed the marketing campaign to a risk actor tracked as UNC6395.
In an August 28 replace, GTIG revealed that the marketing campaign has a broader influence than initially believed, and that Google Workspace prospects have been affected as properly.
“On August 28, 2025, our investigation confirmed that the actor additionally compromised OAuth tokens for the ‘Drift Electronic mail’ integration. On August 9, 2025, a risk actor used these tokens to entry e mail from a really small variety of Google Workspace accounts,” GTIG says.
In accordance with Google’s risk intelligence unit, solely Workspace accounts particularly configured to combine with Saleloft have been affected, because the attackers couldn’t entry every other accounts on the affected prospects’ Workspace domains.
Instantly after figuring out influence from the marketing campaign, Google revoked the OAuth tokens for the Drift Electronic mail software and disabled the Workspace integration with Salesloft Drift.
“We’re notifying all impacted Google Workspace directors. To be clear, there was no compromise of Google Workspace or Alphabet itself,” GTIG notes.Commercial. Scroll to proceed studying.
In accordance with Google, all organizations that use Drift ought to overview their third-party integrations, rotate credentials, and search the related methods for indicators of compromise.
“The scope of this compromise is just not unique to the Salesforce integration with Salesloft Drift and impacts different integrations. We now advise all Salesloft Drift prospects to deal with any and all authentication tokens saved in or related to the Drift platform as probably compromised,” GTIG says.
Salesloft, within the meantime, notified prospects who handle their very own Drift connections to third-party purposes by way of API keys to revoke these keys and reconnect utilizing new keys.
“These actions will have to be taken straight throughout the third-party supplier’s software. You may see an inventory of your present related integrations throughout the Drift Admin settings,” Saleloft stated.
The corporate has shared indicators of compromise (IOCs) to assist organizations hunt for intrusions, and introduced it has been working with Mandiant and Coalition to research and remediate the incident, and to confirm the integrity of its platform.
“We’re working with Salesforce and our third-party companions to revive Salesloft integrations as quickly as doable,” Salesloft stated on Thursday.
Associated: A whole lot of Salesforce Clients Hit by Widespread Knowledge Theft Marketing campaign
Associated: Demystifying Safety Posture Administration
Associated: Sign Provides Screenshot-Blocker to Thwart ‘Home windows Recall’
Associated:EventBuilder Uncovered Info of Over 100,000 Occasion Registrants
