In August 2025, a data breach affecting a subset of Salesforce and Google Workspace customers highlighted the security risks of user-authorized third-party integrations. The incident was not a systemwide breach of Salesforce or Google. Instead, hackers compromised a connected application, Salesloft’s Drift app, which specific customers had integrated into their accounts.
The attackers stole security tokens from this third-party app, using the permissions customers had granted it to access their sensitive data. These stolen tokens provided a back door for attackers to search within the victims’ Salesforce environments and access their connected Google email accounts. This incident, along with a potentially related breach at TransUnion affecting over 4 million people, shows how attackers are increasingly targeting the trusted connections between cloud applications.
What Happened: Salesloft / Drift OAuth Breach & Ripple Effects
- Salesloft (via Drift AI chat integration) was breached, enabling attackers to steal OAuth and refresh tokens tied to Salesloft’s Drift app integration with Salesforce. (TechRadar)
- The threat actor—tracked as UNC6395 by Google’s Threat Intelligence Group (GTIG)—used these tokens between August 8 and August 18, 2025 to systematically exfiltrate data from numerous Salesforce customer instances. (TechRepublic)
- The stolen data wasn’t just contacts or CRM entries—attackers were searching for credentials, such as AWS access keys (AKIA), passwords, and Snowflake access tokens, using automated queries. (Google Cloud)
- They demonstrated a level of craftiness—deleting query jobs to obscure their activity, though logs remained intact for forensic review. (Google Cloud)
- Salesloft and Salesforce responded on August 20, 2025, revoking all access and refresh tokens tied to Drift, with Salesforce also removing the app from the AppExchange. (Google Cloud)
- GTIG and Mandiant strongly advise that all organizations using Drift—regardless of integration—treat all authentication tokens as compromised. (Google Cloud)
- Additionally, a small number of Google Workspace email accounts—but only those integrated with Drift Email—were accessed on August 9, 2025, using compromised tokens. Google emphasized this was not a breach of Google or Workspace itself. (The Hacker News)
- Google has revoked the compromised tokens, disabled the integration, and notified impacted Workspace administrators. (The Hacker News)
What’s Going on with TransUnion
- TransUnion announced a data breach affecting more than 4.4 million U.S. individuals, but only exposed personal information, not credit reports. (techcrunch.com)
- The incident occurred on July 28, 2025, involving unauthorized access to a third-party customer support application. (SecurityWeek)
- The stolen data included names, Social Security numbers, dates of birth, and possibly addresses—but no credit data. (SecurityWeek)
- While the third-party wasn’t explicitly named, the incident appears related to the broader wave of Salesforce-related supply‑chain attacks, including those involving Drift integrations. (SecurityWeek)
Summary: A Rough Month for SaaS Security
- Salesloft’s breach of Drift’s OAuth tokens triggered a serious campaign targeting Salesforce customers, resulting in widespread credential theft and potential escalation.
- Google Workspace users weren’t entirely spared—although only a few accounts tied to Drift Email were accessed, the implications on third-party integrations are broad.
- TransUnion’s breach underscores the expanding reach of these attacks, where customer data—even outside core systems like credit files—can be exposed via support apps tied to CRM platforms.
To Protect Your Organization:
- Immediately revoke and rotate all Drift-associated tokens and credentials.
- Rotate AWS, Snowflake, VPN, or any secrets stored in Salesforce.
- Harden connected app security: enforce IP restrictions, minimize OAuth scope, tighten permissions.
- Review logs and audit trails for suspicious queries or access.
- Confirm with Salesforce/Salesloft whether your instance was impacted, and consider opening a support incident.
- Across the board, review all supply‑chain or third‑party integrations for similar risks.
