Google confirms that the attack on Salesloft Drift committed tokens Oauth and reached some workspace accounts

What initially seemed a limited attack on concrete integrations has ended up being a greater incident. Google has recognized that the security violation that affected Salesloft Drift and Salesforce Not only did he compromise Tokens Oauth Related to its integrations, but also impacted a small number of accounts by Google Workspace, which raises the severity of the case.

Of a punctual incident to a broader problem

The First alert arrived on August 26when Google’s intelligence team, Mandiant (GTIG), reported that a group of attackers had stolen Oauth tokens linked to the integration of the Drift AI chat into Salesforce. At that time, everything pointed to an attack aimed at that specific connection.

The cybercounts, identified by Google with the Code UNC6395they used those tokens to sneak into the instances of Salesforce of several organizations. Once inside, they executed consultations in critical tables such as cases, accounts, users and opportunities, which allowed them to massively review delicate information stored in tickets and customer support messages. Among those data there were AWS access keys, snowflake tokens and passwords That, in wrong hands, they can open the door to new attacks on other cloud platforms.

Google confirms that the attack also touched its land

In the update published today, Google has had to recognize that the commitment did not stay in Salesforce. According to the data collected, The attackers also managed to steal tokens Oauth associated with the integration of Drift Emailand on August 9 they used those credentials to Access the email of a “very small number” of Google Workspace accounts connected directly with Drift.

The company insists that the impact was limited and that no other account within the affected domains became compromised. There is also no evidence that Google Workspace or Alphabet’s main infrastructure suffered any damage. As an immediate measure, Google has revoked the stolen tokens, has notified affected customers and has disabled the integration between Drift Email and Google Workspace while continuing to analyze what happened.

Recommendations and preventive measures

Google’s message is clear: all organizations that use Drift should consider all the authentication tokens stored or linked to the platform committed. The recommendation goes through revoke and rotate credentialsas well as audit the connected systems to identify possible unauthorized accesses.

In addition, they advise Third Integrations of Third Integrations thoroughly review That they work next to Drift, check if there are secrets or credentials exposed and restore them immediately in case of doubt. The objective is to prevent attackers from reusing privileged access to extend the scope of intrusion.

Salesforce and Salesloft also react

Not only Google has had to move. Salesloft updated its official notice on August 28confirming that Salesforce has chosen to disable Drift’s integrations with Salesforce, Slack and Pardot temporarily, until the ongoing investigation ends.

Salesloft herself has reinforced her response team with the collaboration of Mandiant and Coalitiontwo reference firms in the field of cybersecurity. The objective is double: contain possible damage and give guarantees to its clients that they are working thoroughly to prevent something like that.

A reminder of how fragile the integrations are

This case puts on the table one of the great challenges of modern business software: Integrations between platforms. Connecting tools saves time and facilitates processes, but also multiplies the entry points that an attacker can exploit. A single stolen Token Oauth can become the master key to access critical data in different services.

For now, the direct impact on customers seems content, but the fact that the gap even reached Google Workspace is a touch of attention. The recommendation for organizations is clear: review, audit and not safely give third parties integrations without constant control.