Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” Google Threat Intelligence Group (GTIG) and Mandiant said in an updated advisory.
The tech giant said the attackers also used stolen OAuth tokens to access email from a small number of Google Workspace email accounts on August 9, 2025, after compromising the OAuth tokens for the “Drift Email” integration. It’s worth noting that this is not a compromise of Google Workspace or Alphabet itself.
“The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain,” Google added.
Following the discovery, Google said it notified impacted users, revoked the specific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between Google Workspace and Salesloft Drift amid ongoing investigation into the incident.
The company is also urging organizations using Salesloft Drift to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.
The broadening of the attack radius comes shortly after Google exposed what it described as a widespread and opportunistic data theft campaign that allowed the threat actors, an emerging activity cluster dubbed UNC6395, to leverage compromised OAuth tokens associated with Salesloft Drift to target Salesforce instances from August 8 to 18, 2025.
Salesloft has since revealed that Salesforce has temporarily disabled the Drift integration between Salesforce, Slack, and Pardot, only to follow it up nearly three hours later, saying Salesforce has “elected to temporarily disable all Salesloft integrations with Salesforce.”
“Based on the investigation to date, there is no evidence of malicious activity detected in the Salesloft integrations related to the Drift incident,” it noted. “Additionally, at this time, there are no indications that the Salesloft integrations are compromised or at risk.”
