Google Threat Intelligence Group report a widespread data-theft campaign abusing OAuth tokens tied to Salesloft Drift. Initially observed against Salesforce orgs (Aug 8–18, 2025), the scope now includes other Drift integrations: on Aug 9, a small number of Google Workspace mailboxes configured with the “Drift Email” integration were accessed using stolen tokens. Google revoked affected tokens and disabled the Workspace-Drift integration, Salesforce/Salesloft revoked Drift tokens and removed the app from AppExchange. It is advised to treat any authentication token in or connected to Drift as potentially compromised, and revoke and rotate all OAuth tokens/API keys/credentials for every third-party app connected to your Drift instance (not just Salesforce).
Type
Campaign
Actors
UNC6395
Pub. date
September 2, 2025
Initial access
Exposed secretPassword attack
Impact
Data exfiltration
Observed techniques
Valid creds abuseCredential theft
Targeted technologies
SalesforceSalesloft Drift
References
https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift/
Status
Finalized
Last edited
Sep 30, 2025 1:13 PM