A major supply chain breach involving Salesloft’s Drift integration has exposed Salesforce and Google Workspace data from hundreds of organizations. Attackers exploited OAuth tokens to access sensitive information, prompting Google, Zscaler, and other affected companies to take immediate action.
In early August 2025, a supply-chain cyberattack targeted Salesloft’s Drift chatbot integration, specifically the OAuth and refresh tokens used to connect Drift with customer Salesforce, Google Workspace, and other systems. Beginning around August 8, threat actors tracked as UNC6395 (also referred to as “GRUB1”) systematically exfiltrated sensitive data from hundreds of organizations.
The breach wasn’t limited to Salesforce; Google identified that some Google Workspace accounts integrated with Drift Email were also compromised.
The Salesloft Drift breach began around August 8, 2025, when attackers first gained access to OAuth tokens, with active data exfiltration occurring between August 12 and August 17. By August 20, Salesloft had revoked all Drift access tokens and taken the integration offline to contain the attack. The details of the breach are as follows:
Attack vector
Attackers exploited the trusted OAuth tokens granted to the Salesloft Drift application. These tokens effectively granted permissions identical to legitimate users, enabling lateral movement across customer systems.
Targets and impact
The threat actor extracted large volumes of data, including AWS access keys, Snowflake tokens, passwords, and Salesforce object data such as Cases, Accounts, Users, and Opportunities. In some cases, support case text fields containing potentially sensitive data were also exposed.
Operational security by the threat actor
The attackers demonstrated advanced operational security: they deleted query jobs to avoid detection, but Salesforce logs remained unaffected, enabling forensic reviews afterward.
Response measures
By August 20, Salesloft revoked all Drift access tokens, and Salesforce removed the Drift app from the AppExchange. Salesloft has engaged Mandiant, and Salesforce leaders recommended credential rotation, audit log review, and revocation of all Drift-related tokens.
No. Paubox has not been listed among affected vendors or customers. However, companies such as Zscaler, Cloudflare, and Palo Alto Networks, noted by The Hacker News, have publicly disclosed that portions of their Salesforce data were accessed.
Google’s Threat Intelligence Group was among the first to raise alarms about the scope of the breach, stressing that the impact went beyond Salesforce data alone. In its blog post, the team advised “all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” The advisory added that attackers had leveraged Drift OAuth tokens to access not only Salesforce instances but also a small number of Google Workspace accounts before those tokens were revoked.
Zscaler also confirmed it had been affected but sought to reassure customers that the breach was limited in scope. The company explained, “At Zscaler, protecting your data and maintaining transparency are core to our mission to secure, simplify and accelerate business transformation.” According to IT Pro, Zscaler noted, “Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information.”
In response to the breach, Google’s Threat Intelligence Group recommends that organizations take immediate steps to mitigate risks associated with compromised OAuth tokens. Key actions include:
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)