A large-scale cybersecurity incident has expanded the warning perimeter for organizations using Salesloft Drift, an AI-powered chat platform. Emerging evidence shows that the attack risks extend beyond initial forecasts, with broader implications for companies using integrations between Drift and other business systems. Security teams have begun advising all companies with Drift integrations to review and possibly suspend those connections, highlighting a more complex threat landscape than first understood. Although Drift’s integration capabilities provide valuable connectivity for customer engagement, that same functionality now represents a critical vulnerability shared by numerous high-profile platforms.
When reports of this incident first surfaced, focus was on a narrower group of affected users, particularly those leveraging Salesforce in conjunction with Drift. However, subsequent analysis has revealed a more extensive impact, including organizations utilizing Google Workspace and other connected services. Early investigations tended to downplay the potential for downstream compromise, but new evidence has shifted attention to a much wider array of third-party integrations and possible victims. The continuing investigation is revealing layers of exposure that were not previously acknowledged in public updates.
Scope of Compromise Reaches Beyond Salesforce?
Investigators have discovered that the malicious activity traced to the UNC6395 threat group was not confined to Salesforce integrations. Customers connecting Drift to Google Workspace, among many others, have reportedly experienced breaches. According to Google’s Threat Intelligence Group, these attacks involve stolen OAuth tokens and a direct search for valuable credentials. One affected party has even been identified among former Drift customers, though verification is ongoing. Google continues to estimate that the number of potentially impacted organizations exceeds 700, with additional cases likely to surface.
Response Actions and Security Recommendations
Salesloft, now the parent company of Drift, detailed measures to mitigate risk for current users. The company’s updated protocols focus on revoking and rotating API keys used in all third-party integrations involving Drift. Partner service Salesforce responded by disabling the Drift connector in its ecosystem, effectively halting further exposure via that channel. However, Salesforce clarified that no underlying vulnerability has been found in its own platform, maintaining a separation between the Drift-related breach and its own security posture. Other technology partners and researchers continue to collaborate on containment and remediation efforts.
“We’re telling organizations to treat any Drift integration into any platform as potentially compromised, so that increases the scope of victims,”
Mandiant Consulting CTO Charles Carmakal stated.
Determining the Initial Entry Point Remains Ongoing?
The specific method by which UNC6395 gained its initial foothold in Drift’s infrastructure remains a subject of investigation. Security experts are tracing possible vectors, particularly since the group succeeded in harvesting credentials that grant access to AWS, VPN, and Snowflake accounts associated with affected organizations.
“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,”
Carmakal noted. The ongoing forensic probe aims to clarify the attackers’ tactics and prevent future exploitation, as remediation steps continue to evolve with each new finding.
Recent developments surrounding the Salesloft Drift breach indicate a wider network of potential targets than earlier breaches linked to credential harvesting via OAuth tokens. Unlike prior incidents that largely focused on individual CRM integrations or limited vendor ecosystems, the current exposure shows a risk extending through multiple high-value SaaS platforms. This expansion to Google Workspace and other third parties sets the current intrusion apart by its scope and versatility. Other reports tracked isolated attacker activities, but subsequent analysis now points to a coordinated plane targeting interconnected APIs, making containment and victim notification more complex. The industry response now involves heightened alertness around comprehensive third-party security reviews for all integrated platforms, which represents a significant escalation in standard post-breach procedures.
As the investigation proceeds, companies using Drift are reassessing their integration security and monitoring for unauthorized access across all connected platforms. With Drift’s integrations spanning over 50 external tools, any linked service could represent a potential pathway for credential theft or broader compromise. The incident also underscores the ripple effect that a breach in an integration platform can have across enterprise SaaS environments, prompting intensified scrutiny on partnership security and the management of authentication credentials. IT teams should consider reviewing all third-party connections for anomalous activity, adopting a more proactive approach to access management, and accelerating credential rotation policies. These steps can help reduce exposure to ongoing or future threats rooted in supplier ecosystems.
