Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” Google Threat Intelligence Group (GTIG) and Mandiant said in an updated advisory.
The tech giant said the attackers also used stolen OAuth tokens to access email from a small number of Google Workspace email accounts on August 9, 2025, after compromising the OAuth tokens for the “Drift Email” integration. It’s worth noting that this is not a compromise of Google Workspace or Alphabet itself.
“The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain,” Google added.
Following the discovery, Google said it notified impacted users, revoked the specific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between Google Workspace and Salesloft Drift amid ongoing investigation into the incident.
The company is also urging organizations using Salesloft Drift to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.
The broadening of the attack radius comes shortly after Google exposed what it described as a widespread and opportunistic data theft campaign that allowed the threat actors, an emerging activity cluster dubbed UNC6395, to leverage compromised OAuth tokens associated with Salesloft Drift to target Salesforce instances from August 8 to 18, 2025.
Salesloft has since revealed that Salesforce has temporarily disabled the Drift integration between Salesforce, Slack, and Pardot, only to follow it up nearly three hours later, saying Salesforce has “elected to temporarily disable all Salesloft integrations with Salesforce.”
“Based on the investigation to date, there is no evidence of malicious activity detected in the Salesloft integrations related to the Drift incident,” it noted. “Additionally, at this time, there are no indications that the Salesloft integrations are compromised or at risk.”
Update
Cybersecurity firm Zcaler has disclosed that it’s the latest victim stemming from the Salesloft Drift breach after threat actors gained access to its Salesforce instance and stole customer information, including the contents of some support cases.
The activity is part of a campaign that involves stealing OAuth tokens connected to Salesloft Drift to obtain access to Salesforce instances for information theft. Google has attributed the activity to a cluster codenamed UNC6395.
The information accessed was limited to commonly available business contact details for points of contact and specific Salesforce related content, including:
- Names
- Business email addresses
- Job titles
- Phone numbers
- Regional/location details
- Zscaler product licensing and commercial information
- Plain text content from certain support cases [this does NOT include attachments, files, and images]
Zscaler said it has not found any evidence to suggest misuse of this information at this stage, and that swiftly acted to revoke Salesloft Drift’s access to Zscaler’s Salesforce data and rotate other API access tokens.
In a similar alert, Palo Alto Networks revealed itself to be another victim of the attack campaign leveraging the Salesloft Drift integration to compromise customer Salesforce instances. It also said it’s reaching out to a “limited number of customers” that have potentially more sensitive data exposed.
“Our investigation confirms the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and they remain secure and fully operational,” the company said. “The data involved includes mostly business contact information, internal sales account and basic case data related to our customers.”
Palo Alto Networks Unit 42, which detailed the threat actor’s modus operandi, said its observations indicate mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case and Opportunity records, with the attackers actively scanning the acquired data for credentials to further expand their access.
Other companies that have publicly confirmed the Salesloft Drift breach include Cloudflare, PagerDuty, SpyCloud, and Tanium, underscoring the widening attack radius.
“Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer’s configuration and could contain sensitive information like access tokens,” Cloudflare said. “No Cloudflare services or infrastructure were compromised as a result of this breach.”
The web infrastructure company, which is tracking UNC6395 under the name GRUB1, also pointed out that it found among the compromised data set 104 Cloudflare API tokens and that all these tokens have been rotated out of an abundance of caution.
Identity services provider Okta also said it “discovered attempts to use a compromised Salesloft Drift token to access an Okta Salesforce instance” but revealed these efforts were ultimately unsuccessful due to IP allowlisting and securing tokens with Demonstrating Proof of Possession (DPoP), which constrains the use of a token to a specific client.
“The single most important control that prevented this breach was our enforcement of inbound IP restrictions,” its security team said, calling the incident a “wake-up call for the entire SaaS industry.”
“The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address. This security layer proved essential, blocking the unauthorized attempt at the front door before any access could be gained.”
“This expanded understanding of the UNC6395 campaign makes one thing clear: comprehensive OAuth token management across every cloud is non-negotiable,” Astrix Security said. “Revoke suspect grants now, monitor continuously for the indicators we provided, and close the lateral movement paths created by chained OAuth abuse and harvested secrets.”
At this stage, any account associated with Salesloft Drift OAuth application access should be assumed to be compromised and have their activities reviewed for any suspicious or abnormal behavior, WideField added.
(The story was updated after publication on September 2, 2025, with details about companies that have confirmed the breach.)
