Google Alerts: Salesloft Drift Breach Affects All Integrations Beyond Salesforce

Aug 29, 2025
Data Breach / Salesforce

Google has issued a warning regarding the recent surge of attacks on Salesforce instances via Salesloft Drift, revealing that the scope of the breach is wider than initially believed. The advisory advises all Salesloft Drift customers to consider any authentication tokens linked to the Drift platform as potentially compromised. According to the Google Threat Intelligence Group (GTIG) and Mandiant, the attackers utilized stolen OAuth tokens to access emails from a select few Google Workspace accounts on August 9, 2025, following the breach of the OAuth tokens for the “Drift Email” integration. Importantly, this incident does not represent a compromise of Google Workspace or Alphabet itself. Only accounts specifically set up to integrate with Salesloft were at risk; other accounts on a customer’s Workspace remained secure.

Google Issues Warning on Expanded Impact of Salesloft Drift Breach

August 29, 2025

In a significant cybersecurity alert, Google has disclosed that the recent attacks targeting Salesforce instances through Salesloft’s Drift platform are far-reaching, affecting all integrations beyond Salesforce. In an updated advisory, the Google Threat Intelligence Group (GTIG) alongside Mandiant urged all users of Salesloft’s Drift to consider any authentication tokens associated with the platform as potentially compromised.

The hackers exploited stolen OAuth tokens, which enabled them to gain access to email accounts tied to the “Drift Email” integration. This intrusion was particularly evident on August 9, 2025, when a limited number of Google Workspace email accounts were accessed. It is crucial to emphasize that the breach did not involve a compromise of Google Workspace itself, nor that of its parent company, Alphabet. The unauthorized access was confined to accounts specifically configured for integration with Salesloft, preventing the attackers from reaching any unrelated customer accounts on the platform.

As organizations depend increasingly on cloud integrations for business operations, this incident underscores the critical importance of safeguarding authentication credentials. The attackers’ tactics suggest they employed techniques outlined in the MITRE ATT&CK framework, specifically those related to initial access and persistence. By breaching the OAuth tokens, the adversaries were able to establish a foothold that facilitated subsequent access to sensitive data.

Business owners must recognize the ongoing threats posed by such vulnerabilities, particularly in the context of interconnected applications. With the risk of privilege escalation through compromised tokens, the incident serves as a stark reminder to reevaluate security protocols surrounding third-party integrations.

As part of a proactive defense strategy, organizations should implement robust monitoring of authentication practices, considering enhancements such as multifactor authentication and regular audits of access rights. Moreover, this breach highlights the necessity of maintaining an agile response plan to address potential incidents affecting integrated services.

In the evolving landscape of cybersecurity, awareness is paramount. This breach not only sheds light on a specific incident but also reinforces the broader narrative of persistent threats that businesses face today. As we advance, vigilance and preparedness will be key in safeguarding sensitive data against an environment constantly shaped by evolving adversary tactics.

Source link

Related Posts

Feds Shut Down $6.4M VerifTools Fake ID Marketplace, Operators Quickly Relaunch on New Domain

Authorities from the Netherlands and the U.S. have successfully dismantled VerifTools, an illegal marketplace supplying counterfeit identity documents to cybercriminals globally. The operation resulted in the seizure of two website domains and a related blog, which now redirect users to a notice about the FBI’s enforcement action under a U.S. District Court warrant. However, just days later, the platform’s operators announced a relaunch at “veriftools.com.” The domain, registered in 2018, now raises questions regarding its administrators’ identities.

Click Studios Addresses Authentication Bypass Vulnerability in Passwordstate’s Emergency Access Page

Published: August 29, 2025 | Category: Vulnerability / Enterprise Security

Click Studios, the developer behind Passwordstate, an enterprise password management solution, has released critical security updates to fix an authentication bypass vulnerability in its software. This high-severity issue, yet to receive a CVE identifier, has been resolved in Passwordstate version 9.9 (Build 9972), launched on August 28, 2025. The Australian company reported that the update addresses a “potential Authentication Bypass” in the Emergency Access page when exploited with a specially crafted URL. Additionally, the latest version incorporates enhanced protections against possible clickjacking attacks targeting its browser extension, particularly if users navigate to compromised sites. These enhancements likely respond to insights from security researcher Marek Tóth, who recently revealed a technique involving Document Object Model (DOM)-based extension clickjacking affecting various password manager browser add-ons.

Amazon Disrupts APT29’s Watering Hole Campaign Utilizing Microsoft Device Code Authentication

On August 29, 2025, in a significant security intervention, Amazon revealed it had identified and dismantled a watering hole campaign orchestrated by the Russia-linked APT29 group. This campaign exploited compromised websites to direct users towards malicious infrastructure, tricking them into authorizing attacker-controlled devices via Microsoft’s device code authentication process. Amazon’s Chief Information Security Officer, CJ Moses, provided insights into the threat. APT29, also known by aliases such as BlueBravo, Cozy Bear, and Midnight Blizzard, is a state-sponsored hacking group linked to Russia’s Foreign Intelligence Service (SVR). Recently, the group has been associated with attacks employing malicious Remote Desktop Protocol (RDP) configurations to target Ukrainian entities and extract sensitive information. As the year progresses, the adversary’s extensive targeting strategies continue to raise concerns.

Webinar: Harmonize Dev, Sec, and Ops Teams with a Unified Playbook

Date: August 29, 2025
Topic: Cloud Security / Generative AI

Imagine this: your team deploys new code, confident everything is perfect. But hidden within is a minor flaw that spirals into a major crisis once it reaches the cloud. Suddenly, hackers infiltrate your system, resulting in costly damages that can amount to millions. Frightening, right? In 2025, the average data breach will set businesses back around $4.44 million globally. A significant portion of these issues arises from app security oversights, such as web attacks that compromise credentials and cause chaos.

If you’re part of the dev, ops, or security teams, you’ve likely experienced this stress—constant alerts, disputes over accountability, and slow fixes. But it doesn’t have to be this way. What if you could detect risks early, from the moment code is written to its operation in the cloud? That’s the power of code-to-cloud visibility, transforming how proactive teams manage app security.

Join our upcoming webinar, “Code-to-Cloud…