The recent widespread data theft campaign that hit hundreds of Salesforce customers through their Salesloft Drift integration also impacted organizations using Google Workspace, Google Threat Intelligence Group (GTIG) says.
Carried out between August 8 and August 18, 2025, the campaign relied on compromised OAuth tokens for the third-party AI chat bot Salesloft Drift to export large amounts of data from corporate Salesforce instances, likely for credential harvesting, GTIG warned on August 26.
The attackers were seen searching for AWS access keys, passwords, Snowflake-related access tokens, and other sensitive information. GTIG attributed the campaign to a threat actor tracked as UNC6395.
In an August 28 update, GTIG revealed that the campaign has a broader impact than originally believed, and that Google Workspace customers have been affected as well.
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the ‘Drift Email’ integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts,” GTIG says.
According to Google’s threat intelligence unit, only Workspace accounts specifically configured to integrate with Saleloft have been affected, as the attackers could not access any other accounts on the affected customers’ Workspace domains.
Immediately after identifying impact from the campaign, Google revoked the OAuth tokens for the Drift Email application and disabled the Workspace integration with Salesloft Drift.
“We are notifying all impacted Google Workspace administrators. To be clear, there has been no compromise of Google Workspace or Alphabet itself,” GTIG notes.
According to Google, all organizations that use Drift should review their third-party integrations, rotate credentials, and search the connected systems for signs of compromise.
“The scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” GTIG says.
Salesloft, in the meantime, notified customers who manage their own Drift connections to third-party applications via API keys to revoke these keys and reconnect using new keys.
“These actions will need to be taken directly within the third-party provider’s application. You can see a list of your current connected integrations within the Drift Admin settings,” Saleloft said.
The company has shared indicators of compromise (IOCs) to help organizations hunt for intrusions, and announced it has been working with Mandiant and Coalition to investigate and remediate the incident, and to verify the integrity of its platform.
“We are working with Salesforce and our third-party partners to restore Salesloft integrations as soon as possible,” Salesloft said on Thursday.
Related: Hundreds of Salesforce Customers Hit by Widespread Data Theft Campaign
Related: Demystifying Security Posture Management
Related: Signal Adds Screenshot-Blocker to Thwart ‘Windows Recall’
Related:EventBuilder Exposed Information of Over 100,000 Event Registrants
