Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Incidents

Google Warns Salesloft Breach Hit Accounts

September 1, 2025
Reading Time: 3 mins read
in Incidents
MathWorks Confirms Cyberattack Data Stolen

Google has issued a new warning about the ongoing Salesloft Drift breach, revealing that the scope of the compromise is more extensive than initially believed. While the initial focus was on the theft of OAuth tokens used to access customer Salesforce instances, Google’s investigation has now confirmed that a “very small number” of Google Workspace email accounts were also accessed by the attackers. The threat actors, identified as UNC6395, used compromised tokens from the “Drift Email” integration to gain unauthorized access to these accounts. This discovery broadens the attack’s scope beyond the Salesforce integration, impacting other connected services.

The campaign, first reported on August 26, began with attackers exploiting the Salesloft Drift AI chat integration with Salesforce. The threat actors used stolen OAuth tokens to execute queries against various Salesforce objects, including Cases, Accounts, Users, and Opportunities. Their primary objective was to exfiltrate large volumes of data and, more specifically, to harvest sensitive credentials. The stolen data was then scanned for valuable information like AWS access keys, Snowflake tokens, and passwords, which could be used to facilitate future attacks and potential extortion.

In response to the new findings, Google has taken swift action to protect its users. The company has identified the impacted Google Workspace accounts and revoked the specific OAuth tokens granted to the Drift Email application. Furthermore, Google has disabled the integration functionality between Google Workspace and Salesloft Drift as a precautionary measure while the investigation continues. It is important to note that Google has emphasized that this was not a compromise of Google Workspace or Alphabet itself, but rather a targeted attack on accounts with a direct integration to the vulnerable Drift platform.

The broadening of the attack’s scope has led Google to issue a more urgent and comprehensive warning to all organizations using Drift. Google is now advising all Salesloft Drift customers to “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” This recommendation urges customers to immediately revoke and rotate credentials for any applications integrated with Drift and to conduct thorough investigations of all connected systems for any signs of unauthorized access.

Both Google and Salesloft have been collaborating to address the incident. Salesloft has also engaged Mandiant and Coalition to assist with their investigation and has updated its advisory to reflect the latest findings. As a result of the ongoing investigation and heightened security concerns, Salesforce has temporarily disabled all Salesloft integrations with Salesforce, Slack, and Pardot. These steps underscore the severity of the supply chain attack, highlighting the critical need for organizations to proactively manage and secure third-party integrations.

Reference:

  • Google Warns Salesloft Breach Impacted Some Workspace Accounts
Tags: cyber incidentsCyber Incidents 2025Cyber threatsSeptember 2025
ADVERTISEMENT

Related Posts

Sitecore Exploit Chain Warning

Lotte Card Cyberattack Reported

September 2, 2025
Sitecore Exploit Chain Warning

Zscaler Data Breach Exposes Info

September 2, 2025
Sitecore Exploit Chain Warning

Von Der Leyen Plane GPS Jamming

September 2, 2025
MathWorks Confirms Cyberattack Data Stolen

MathWorks Confirms Cyberattack Data Stolen

September 1, 2025
MathWorks Confirms Cyberattack Data Stolen

Fraudster Stole Millions From Baltimore

September 1, 2025
Swedish Towns Hit By Ransomware Attack

Nevada Closes Offices After Cyberattack

August 28, 2025

Latest Alerts

High Risk SQLi In WordPress Plugin

AI Weaponized Nx Supply Chain Attack

Sitecore Exploit Chain Warning

Brokewell Android Malware In Fake Ads

North Korea APT37 Uses RokRAT In Phishing

New Zero Click Exploit Targets WhatsApp

Subscribe to our newsletter

    Latest Incidents

    Lotte Card Cyberattack Reported

    Von Der Leyen Plane GPS Jamming

    Zscaler Data Breach Exposes Info

    Google Warns Salesloft Breach Hit Accounts

    Fraudster Stole Millions From Baltimore

    MathWorks Confirms Cyberattack Data Stolen

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial