Unscrupulous activities detected: Salesloft Drift signals implicated in data heist, according to Google's warning
In a significant cybersecurity incident, a previously unknown criminal group, UNC6395, has launched a large-scale data theft campaign between August 8 and August 18, 2025. The attacks targeted Salesforce instances, initially linked to the Salesloft Drift integration.
The problem extends beyond Salesloft Drift as all authentication tokens stored or associated with the platform may be compromised. IT administrators are advised to discard the credentials and generate new ones for these integrations.
The attackers gained access using compromised OAuth tokens from the Salesloft Drift AI platform. This access was possible to Workspace accounts that had used the Salesloft Drift integration, but not to other accounts.
Salesloft, along with Salesforce, revoked the access tokens and temporarily removed the Drift app from the Salesforce AppExchange. Google has also disabled the integration of Salesloft Drift in Google Workspace until investigations are completed. The company has revoked the OAuth tokens that granted access to the Drift Email app.
After exfiltrating data, the attackers searched for information to compromise victims' environments, including AWS access keys, passwords, or access tokens with Snowflake references. They should check the connected systems for signs of unauthorized access.
Google provides indicators of compromise (IOCs) for the review. Affected Google Workspace admins will be notified by IT security researchers. Last week, GTIG researchers found that OAuth tokens from the "Drift Email" integration were additionally abused by the criminal group to access emails in Google Workspace accounts.
The attacks initially observed in early June involved attackers using telephone calls (Vishing) to convince victims to install malicious "Connected" apps in Salesforce, allowing them to steal data on a larger scale and extort the companies.
Organisations can search log files for relevant traces of data leakage. It is crucial to review all third-party integrations connected to their Salesloft Drift instance. The goal of the attackers is to obtain further credentials.
It is essential to note that the attackers attempted to cover their tracks by deleting requests but did not tamper with log files. This means that thorough investigation and review of log files can potentially help in identifying and mitigating the impact of this data breach.
Stay vigilant and keep your systems secure.
Read also:
- Understanding Hemorrhagic Gastroenteritis: Key Facts
- Trump's Policies: Tariffs, AI, Surveillance, and Possible Martial Law
- Expanded Community Health Involvement by CK Birla Hospitals, Jaipur, Maintained Through Consistent Outreach Programs Across Rajasthan
- Abdominal Fat Accumulation: Causes and Strategies for Reduction
