Ethical Hacking News
Google has warned that a breach of Salesloft's Drift AI chat integration with Salesforce has compromised some Google Workspace accounts, urging all organizations using Drift to treat every authentication token stored in or connected to the platform as compromised. The breach was initially thought to be limited to Salesforce integrations but has since been revealed to impact other areas.
The breach at Salesloft's Drift AI chat integration with Salesforce compromised some Google Workspace accounts. The scope of the compromise initially thought to be limited was later found to be more extensive, affecting other integrations beyond just Salesforce and Google's own Drift Email integration. OAuth tokens for the "Drift Email" integration were also compromised, allowing attackers to access a small number of Google Workspace accounts directly integrated with Drift. The stolen OAuth tokens have been revoked, but customers are advised to revoke and rotate credentials for those applications and investigate connected systems for signs of unauthorized access. Salesloft has updated its advisory stating that Salesforce has disabled integrations with Slack, Pardot, and Google Workspace until an investigation is completed.
In a recent update to its threat intelligence, Google revealed that a breach of Salesloft's Drift AI chat integration with Salesforce had compromised some Google Workspace accounts. The breach, which was first disclosed on August 26, involved attackers stealing OAuth tokens for the Drift Email integration and using them to access a small number of Google Workspace email accounts.
The scope of the compromise, initially thought to be limited to Salesforce integrations, has since been revealed to be more extensive. According to an update published by Google today, the breach impacted other integrations beyond just Salesforce, including Google's own Drift Email integration with Google Workspace. This expansion in the affected area was determined through a thorough investigation by Google.
The investigation revealed that OAuth tokens for the "Drift Email" integration were also compromised, and on August 9, threat actors utilized them to access the email of a "very small number" of Google Workspace accounts directly integrated with Drift. It's worth noting that no other accounts in those domains were impacted, and there has been no compromise of Google Workspace or Alphabet itself.
The stolen OAuth tokens have since been revoked, and customers have been notified about the breach. In response to this incident, Google disabled the integration between Salesloft Drift Email and Google Workspace until further investigation is completed.
In light of this new information, Google now advises all organizations using Drift to treat every authentication token stored in or connected to the platform as compromised. This warning urges customers to revoke and rotate credentials for those applications and investigate all connected systems for signs of unauthorized access.
Google also recommends reviewing all third-party integrations associated with Drift instances, searching for exposed secrets, and resetting any found credentials in case they have been compromised. Salesloft has updated its advisory on August 28, stating that Salesforce has disabled Drift integrations with Salesforce, Slack, and Pardot until an investigation is completed.
The company has now engaged Mandiant and Coalition to assist with this investigation.
This incident highlights the importance of regularly monitoring security threats and implementing robust measures to protect sensitive information. It also underscores the interconnectedness of various cloud-based services, making it essential for organizations to maintain a close eye on their third-party integrations.
Related Information:
https://www.ethicalhackingnews.com/articles/Google-Warns-Salesloft-Breach-Impacted-Some-Google-Workspace-Accounts-ehn.shtml
https://www.bleepingcomputer.com/news/security/google-warns-salesloft-breach-impacted-some-workspace-accounts/
Published: Thu Aug 28 18:51:32 2025 by llama3.2 3B Q4_K_M
