Photo by Steve Johnson on Unsplash
If your company uses Salesloft’s Drift AI chatbot, Google has a serious heads-up for you: It’s time to treat all your security tokens as possibly compromised.
That’s the newest twist in an ongoing security incident that just got a lot messier. What started as a breach affecting some Salesforce integrations is now spilling into a larger pool—impacting not just Salesforce, but also Google Workspace and potentially any third-party tool integrated with Drift.
Let’s break down what happened and why this matters.
What’s Going On?
This past Thursday, Google published an important update through its Threat Intelligence Group (GTIG), expanding its earlier warning about a mass data-theft campaign. It confirmed that attackers didn’t just stop at stealing OAuth tokens linked to Drift’s Salesforce integration.
Photo by thisGUYshoots on Unsplash
New evidence suggests these attackers used stolen Drift tokens to access Google Workspace emails too. That’s a major shift. Now, Google is urging all users of Salesloft Drift to assume every authentication token linked to the platform might be compromised.
In plain terms: if you’ve hooked Drift into anything from Gmail to Slack to your CRM—take action immediately.
What Google and Others Are Doing
Google hasn’t waited around. Here’s what they’ve already done:
- Revoked compromised tokens
- Cut off all Drift-Google Workspace integrations for now
- Alerted affected Workspace users
- Recommended revoking and rotating credentials across the board
Salesforce, for its part, already disabled Drift connections with its main cloud platform, Slack, and Pardot earlier in the week.
As for Salesloft? Their official security guidance page hadn’t caught up to Google’s latest findings as of Thursday. It still points to only Drift–Salesforce integrations being affected. No comment yet from the company, though they’ve now brought in Google-owned Mandiant to investigate further.
Who’s Behind This?
Google has attributed the breach to a threat group it tracks as UNC6395. The group reportedly kicked off a mass credential theft campaign around August 8 and continued through August 18.
Here’s how it worked:
- They first compromised Drift OAuth tokens.
- From there, they accessed Salesforce instances.
- Inside Salesforce, they hunted for login details that could be used elsewhere—including services like AWS and Snowflake.
The attack snowballed fast. And now, with Google Workspace officially in the crosshairs, it’s clear this wasn’t a contained incident.
What You Should Do Now
Google is advising everyone using Drift to take immediate action. That includes companies big and small.
Here’s their current guidance:
- Revoke all third-party app tokens connected to Drift
- Rotate credentials for everything tied in
- Audit connected systems for suspicious activity
Even if you’re not sure whether your data was touched, it’s a good time to harden your setup.
Why This Matters
Salesloft Drift is designed to make your digital sales flow smoother—real-time chat automation, faster lead engagement, and integrations galore. But convenience shouldn’t come at the cost of security.
The takeaway? Even AI chatbots and automation tools aren’t immune to serious vulnerabilities, especially when they get deeply embedded into your business systems.
We’ll be keeping an eye out for updates as Mandiant digs deeper. Until then, stay cautious—and rotate those keys.
Got Drift connected to your stack? Now’s the time to give your security a checkup.
Keywords: Drift AI, data breach, Google Workspace, security tokens, Salesloft, cybersecurity, token compromise
