Google says an attacker used OAuth tokens for Salesloft Drift to access email in Workspace accounts, and has recommended a revoke-and-investigate for anything connected to Drift.
Earlier this week the Google Threat Intelligence Group described how an actor designated UNC6395 had targeted Salesforce accounts via Drift.
"The actor systematically exported large volumes of data from numerous corporate Salesforce instances," it said. "GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens."
In a Thursday update, the Google group said the threat had not been limited to Salesforce accounts.
"On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the 'Drift Email' integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts."
Access was limited to those accounts integrated with Salesloft Drift.
Google now advises treating all credentials linked to Drift as compromised, revoking credentials and investigating the systems they guarded for possible breach.
Where Google Workspace accounts were involved, admins should have been directly notified.
Google has turned off integration with Drift, and Salesforce has likewise disabled it, across Slack and Pardot too.
The link has been copied!
