In August 2025, Salesloft’s Drift chatbot service became the conduit for one of the most significant SaaS supply-chain breaches to date. Drift, acquired by Salesloft in 2024, integrates with customer systems, including Salesforce, Slack, and Google Workspace, via OAuth tokens. Threat actors exploited this integration to steal authentication tokens and gain access to customer environments.
Hundreds of organizations were compromised, including top-tier technology and security vendors like Zscaler and Palo Alto Networks. It is also calling it a “widespread supply-chain attack spree” against one of the most ubiquitous SaaS integration platforms.
The Salesloft Drift breach demonstrates how a SaaS compromise can escalate into a full-blown incident involving Google Workspace. Attackers leveraged OAuth abuse and token theft to move laterally, targeting sensitive files, mailboxes, and workflows inside Google’s cloud.
For those of us who monitor logs and triage alerts, this isn’t just another headline. It’s a practical demonstration of SaaS attack paths and the operational consequences that occur when trust boundaries are breached.
What Was the Salesloft Drift Breach?
The Salesloft Drift breach is a textbook supply chain attack that exploited trusted integrations to compromise data across multiple platforms, including Salesforce and Google Workspace. Here’s the timeline and mechanics, broken down for clarity:
- March–June 2025: Attackers, tracked as UNC6395 or GRUB1, compromised Salesloft’s GitHub account. Salesloft is a sales engagement platform, and its Drift AI chatbot integrates with Salesforce for CRM automation. The attackers likely used stolen credentials or a phishing campaign to access GitHub repositories, where they created a guest user and downloaded sensitive code.
- June–August 2025: Using this access, attackers pivoted to Drift’s AWS environment, where they harvested OAuth tokens and refresh tokens. These tokens enabled Drift to interact with Salesforce and connect to various platforms, including GWS, Slack, and others.
- August 8–18, 2025: The attackers went active, using stolen tokens to exfiltrate data from over 700 organizations’ Salesforce instances. This included customer data (names, emails, phone numbers, and support case texts), as well as, in some cases, credentials such as AWS keys or Snowflake tokens.
- August 20, 2025: Salesloft and Salesforce caught wind of the breach, revoked all Drift tokens, and disabled the integration on Salesforce’s AppExchange.
- August 26–September 6, 2025: Google’s Threat Intelligence Group (GTIG) and Mandiant confirmed the breach extended to Google Workspace, with a “small number” of email accounts accessed on August 9 via the “Drift Email” integration. Notifications went out, and Drift was temporarily taken offline.
- September 7–14, 2025: Ongoing disclosures revealed the scale, with cybersecurity firms like Cloudflare, Palo Alto Networks, Proofpoint, and Tenable among the victims. No ransomware was reported.
No Slack account needed.
Who Was Affected
The impact is broad. Analysts estimate that over 700 organizations were affected by the blast. High-profile names include Cloudflare, Zscaler, Palo Alto Networks, and PagerDuty.
The compromised data lives primarily inside Salesforce. That means customer names, email addresses, job titles, phone numbers, geographic information, and case metadata were exposed. The real risk lies in the support case text, where customers often include credentials, logs, or configuration details. While there is no evidence that core product infrastructure at the affected vendors was breached, the exposure of sensitive customer data cannot be dismissed.
How can it impact Google Workspace?
For GWS users, the breach’s impact was primarily through the Drift Email integration, which utilizes OAuth to access Gmail for sending automated sales emails or syncing CRM data. When attackers stole Drift’s OAuth tokens, they gained unauthorized access to a limited number of GWS email accounts. Here’s the technical breakdown:
- OAuth Token Abuse: OAuth tokens serve as delegated access keys, allowing apps like Drift to read or send emails on your behalf without requiring your password. The stolen tokens enabled attackers to bypass authentication and access Gmail accounts associated with Drift. Google reported that this incident occurred on August 9, 2025, affecting a “small number” of accounts, but the exact number remains undisclosed.
- Data Exposed: Potentially compromised data includes email content, contacts, attachments, and metadata. If users had sensitive communications (e.g., client contracts, financial details), these could now be in the hands of attackers. There’s also a risk of stolen API keys or tokens embedded in emails, which could lead to further breaches in connected systems (e.g., AWS, Azure).
- Ripple Effects: The breach disrupted workflows for organizations relying on Drift for email automation, while revoking tokens required re-authenticating integrations, resulting in downtime. Additionally, the stolen data could be used to fuel targeted phishing campaigns, where attackers impersonate trusted contacts by using real GWS email data.
Diagram: Google Workspace Compromise via Drift
This sequence diagram illustrates how attackers used stolen OAuth tokens to access GWS email accounts and the potential for follow-on attacks.
Technical Implications for GWS Admins
Let’s review the details for administrators and IT professionals. This breach highlights several technical risks in GWS and SaaS ecosystems:
- OAuth Vulnerabilities: OAuth is great for seamless integrations, but terrible if tokens are stolen. Unlike passwords, tokens don’t expire quickly (refresh tokens can last months), and they often have broad scopes (e.g., full email access). The Drift breach shows why least-privilege scopes and short-lived tokens are non-negotiable.
- Supply Chain Weakness: The attack didn’t exploit GWS directly. It came through Salesloft and Drift. Third-party apps are only as secure as their weakest link, and Salesloft’s GitHub compromise was the entry point.
- Detection Gaps: Many organizations didn’t notice the unauthorized access until Google and Mandiant sounded the alarm. GWS audit logs are powerful but often underused, especially by smaller teams without dedicated security staff.
- Hybrid Ecosystem Risks: With Drift connecting GWS to Salesforce, Slack, and other platforms, a single breach can cascade across multiple platforms. This is a growing pain point as businesses mix and match SaaS tools.
What Can You Do? A Technical Playbook
Here’s a step-by-step guide to secure your Google Workspace environment post-breach. I’ve done this myself after similar scares, and it’s worth the effort:
- Audit Connected Apps:
- Go to myaccount.google.com, then “Security,” then “Third-party apps with account access.”
- Look for Drift or any unfamiliar apps. Revoke anything you don’t trust. For admins, use the Admin Console (admin.google.com) → “Security” → “API Controls” to review domain-wide delegations.
- Pro Tip: Export the app list as a CSV file for auditing purposes. Check scopes (e.g., https://mail.google.com/) if they’re overly broad, reconsider the app.
- Rotate Credentials:
- Change GWS passwords for affected users, even if MFA is enabled.
- Rotate API keys or tokens in connected platforms (e.g., AWS, Slack) that might have been exposed in emails.
- Command: Admins can force a password reset via Admin Console → “Users” → “Reset Password.”
- Review Audit Logs:
- In the Admin Console, go to “Reports” → “Audit and investigation” → “Login” or “Token” logs.
- Filter for August 8–18, 2025, and look for logins from Tor exit nodes or unfamiliar IPs. Mandiant noted Tor usage by attackers.
This queries Google Cloud Logging for OAuth activity (replace [YOUR_PROJECT_ID]).
- Tighten OAuth Policies:
- In Admin Console, go to “Security” → “API Controls” → “Manage Third-Party App Access.”
- Set policies to restrict unverified apps and limit scopes. For example, block apps requesting full mail.google.com access unless critical.
OAuth Policy Workflow
- Adopt CISA’s GWS Baselines:
- CISA recently released Secure Configuration Baselines for GWS (covering Gmail, Drive, Meet, etc.). These include settings like enforcing 2FA, disabling IMAP/POP for external apps, and enabling advanced phishing protection.
- Download them from CISA’s website and apply via Admin Console → “Security” → “Settings.”
- Prepare for Phishing:
- Attackers may use stolen email data for spear-phishing. Enable GWS’s “Advanced Protection Program” for high-risk users and train staff to spot suspicious emails.
- Tool Tip: Use Google’s “Security Checkup” (security.google.com) to flag risky account activity.
The Bigger Picture: Supply Chains Are the New Frontier
This breach isn’t just about Drift or GWS, it’s about the supply chain. Every app you connect to your Google Workspace is a potential door for attackers. The fact that Salesloft’s GitHub was the entry point shows how far upstream these attacks can start. And with 2025 bringing AI-powered threats (like deepfake phishing or automated token abuse), the stakes are higher than ever. I’ve been burned by misconfigured integrations before, and it’s a humbling experience to realize your “secure” setup isn’t bulletproof.
Final Thoughts
The Salesloft Drift breach is a wake-up call for anyone using Google Workspace or other SaaS productivity suites. It’s not about pointing fingers at Salesloft or Drift, and it’s about recognizing that our interconnected tech world is only as strong as its weakest link. Take an hour this week to audit your GWS settings, tighten your OAuth policies, and talk to your team about third-party risks. It’s not sexy work, but it’s the kind of proactive step that saves headaches (and data) down the line.
The Drift breach is not the first SaaS supply-chain compromise, and it will not be the last. Attackers are increasingly shifting away from brute force or exploit chains and toward abusing trusted integrations. These apps often fly under the radar, despite being granted broad access with minimal monitoring.
For defenders, the message is clear. Every third-party integration represents an extension of your attack surface. If you do not monitor how it is used, someone else eventually will.
IOC’s
The following indicators have been associated with this incident:
| Indicator Value | Description |
| Salesforce-Multi-Org-Fetcher/1.0 | Malicious User-Agent string |
| Salesforce-CLI/1.0 | Malicious User-Agent string |
| python-requests/2.32.4 | User-Agent string |
| Python/3.11 aiohttp/3.12.15 | User-Agent string |
| 208.68.36.90 | DigitalOcean |
| 44.215.108.109 | Amazon Web Services |
| 154.41.95.2 | Tor exit node |
| 176.65.149.100 | Tor exit node |
| 179.43.159.198 | Tor exit node |
| 185.130.47.58 | Tor exit node |
| 185.207.107.130 | Tor exit node |
| 185.220.101.133 | Tor exit node |
| 185.220.101.143 | Tor exit node |
| 185.220.101.164 | Tor exit node |
| 185.220.101.167 | Tor exit node |
| 185.220.101.169 | Tor exit node |
| 185.220.101.180 | Tor exit node |
| 185.220.101.185 | Tor exit node |
| 185.220.101.33 | Tor exit node |
| 192.42.116.179 | Tor exit node |
| 192.42.116.20 | Tor exit node |
| 194.15.36.117 | Tor exit node |
| 195.47.238.178 | Tor exit node |
| 195.47.238.83 | Tor exit node |
More about Salesloft Drift in the following link: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
