Google Alerts Users of Expanded Salesloft Drift Data Breach

Google has issued a warning to users of the Salesloft Drift AI chat agent, stating that all security tokens associated with the platform should be considered compromised. This advisory follows the revelation that unknown attackers exploited certain credentials to access emails from Google Workspace accounts. In response to this breach, Google has revoked the tokens implicated in the security incident and has disabled the integration between the Salesloft Drift agent and all Workspace accounts as part of its ongoing investigation. Affected account holders have been notified regarding the compromise.

Scope of the Breach Expands

The breach, initially reported on August 15, 2023, has proven to be more extensive than previously understood. Earlier assessments by members of the Google Threat Intelligence Group (GTIG) suggested that the compromised tokens were restricted to Salesloft Drift integrations with Salesforce. However, new information prompted a reassessment of this situation, leading Google to announce that the compromise extends beyond Salesforce integrations.

“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,” stated the advisory update released on August 17, 2023. Google now advises all Salesloft Drift customers to treat any authentication tokens stored in or connected to the Drift platform as potentially compromised.

Despite this critical update, Salesloft’s security guidance page has not reflected the broader implications of the breach and continues to assert that the issue affects only Drift’s integration with Salesforce. As of now, company representatives have not provided a response to inquiries seeking confirmation of Google’s findings.

Salesloft Drift, an AI-driven chat agent, facilitates real-time interactions between websites and potential customers. The platform was acquired by Salesloft 18 months ago and integrates with various services, including Salesforce and other customer relationship management platforms, Slack, and Google Workspace.

Details of the Attack

According to Google, an attack group identified as UNC6395 has been engaged in a mass data-theft campaign, utilizing compromised Drift OAuth tokens to gain access to Salesforce instances. Once inside these accounts, the attackers accessed sensitive data and sought credentials that could provide access to other services, including AWS and Snowflake. This theft spree reportedly began on August 8, 2023, and continued through at least August 18, 2023.

In light of the ongoing threat, Salesforce has disabled Drift integrations with its main cloud service, as well as its Slack and Pardot platforms. Google’s recent update indicates that the breach may not have been fully contained, prompting the company to recommend that organizations take immediate action.

Google advises businesses to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. To assist in this matter, Salesloft has retained the services of Mandiant, a Google-owned incident response company, to help investigate the breach further.

As the situation develops, both Google and Salesloft are taking steps to ensure the security of their platforms while keeping users informed of potential risks.