Google reveals that a widespread attack using stolen OAuth tokens has compromised Salesforce and Google Workspace integrations via Salesloft Drift. Organizations are advised to revoke credentials, review integrations, and monitor for unauthorized access. #Salesloft #OAuthTokens
Keypoints
- Google and Mandiant have identified a broad attack impacting all Salesloft Drift integrations.
- The attackers used stolen OAuth tokens to access emails and Salesforce integrations without compromising Google Workspace itself.
- Impacted users were notified, and affected OAuth tokens were revoked, with integration functions temporarily disabled.
- Organizations are urged to review third-party integrations, revoke credentials, and investigate for unauthorized activity.
- The threat actor cluster, UNC6365, is associated with opportunistic data theft using compromised OAuth tokens between August 8-18, 2025.
Read More: https://thehackernews.com/2025/08/google-warns-salesloft-oauth-breach.html