Salesforce Disables All Integrations With Salesloft: Drift Hack Is Worse Than Previously Thought


Salesforce has disabled all integrations with Salesloft – as Google Threat Intelligence Group (GTIG) revealed that the scope of the Drift application hack is worse than previously thought.

Earlier this week, Salesforce Ben reported on the news that Salesforce customers had been targeted in a data theft campaign carried out through the third-party application, Salesloft Drift. 

It was said to be carried out by a threat actor tracked as ‘UNC6395’ – a different designation than the ‘ShinyHunters’ group, which is reportedly responsible for several recent social engineering attacks on big-name Salesforce customers. 

In the Salesloft Drift incident, hackers targeted Salesforce instances through compromised OAuth tokens, GTIG said, and Salesloft had indicated that customers who do not integrate with Salesforce were not impacted by the campaign. 

But, based on new information identified by GTIG, the scope of the compromise is actually not exclusive to the Salesforce integration with Salesloft Drift – and OAuth tokens for the “Drift Email” integration have also been compromised, Google now says.

Salesforce Disables All Integrations With Salesloft

In an update posted on August 28, Salesforce revealed that they have disabled all integrations between Salesforce and Salesloft technologies, including the Drift app. 

“As a result, organizations will not be able to connect to Salesforce via any Salesloft apps until further notice,” Salesforce said. “Our teams are continuing to assess the situation, and we will provide further updates as appropriate.”

GTIG is now advising all Salesloft Drift customers to treat “any and all” authentication tokens stored in or connected to the Drift platform as potentially compromised, recommending organizations immediately review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. 

Google said in a statement: “On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the “Drift Email” integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts. 

“The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain.”

Google says that, in response to these findings, they have identified the impacted users, revoked the specific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between Google Workspace and Salesloft Drift “pending further investigation”. The company is also notifying all impacted Google Workspace administrators. 

“To be clear, there has been no compromise of Google Workspace or Alphabet itself,” GTIG said. 

Salesforce has also said that this issue did not stem from a vulnerability within the core Salesforce platform.

Salesloft has now engaged Mandiant to assist in its investigation. 

Final Thoughts 

Once again, this issue does not stem from a vulnerability within the core Salesforce platform, but news of security breaches in the ecosystem is far from ideal for the cloud giant. 

We do not know the identity of the threat actor, but Google previously said they demonstrated “operational security awareness” – and this latest news seems to only confirm that.

Leave a Reply

Your email address will not be published. Required fields are marked *