The breach linked to Salesloft Drift is far broader than first disclosed, potentially compromising any client that integrated the chatbot with a third-party service.
The security incident affecting Salesloft Drift now spans a much wider perimeter. Initially presented as limited to Salesforce customers, it actually impacts any organization that connected Drift to a third-party service. Google and Mandiant confirm that at least 700 entities are exposed, including Google Workspace users. Attackers identified as UNC6395 stole OAuth tokens to access accounts, extract emails, and search for critical credentials such as AWS keys, VPN logins, or Snowflake IDs. Salesforce suspended its Drift connections, while Salesloft recommends revoking and rotating all API keys linked to integrations.
A Multiplied Attack Surface
Mandiant Consulting CTO Charles Carmakal now urges all organizations with Drift integrations to assume compromise. Google confirmed unauthorized access involving some Google Workspace users. Google Threat Intelligence Group’s analysis shows the attack extends far beyond Salesforce, contrary to Salesloft’s early statements. Senior Google analyst Austin Larsen noted the discovery “significantly broadens the victim scope.”
Salesloft Drift currently offers 58 different third-party integrations spanning CRM, automation, support, communications, and analytics. This mesh amplifies the domino effect: each interconnection is a door for UNC6395.
Confirmed Impact and Recommendations
Salesloft has updated its public statements, admitting the breach is more severe and extensive than first believed. The company is working with Mandiant, Google Cloud, and insurer Coalition. In its security blog, Salesloft advises all Drift clients using API key connections to immediately revoke and regenerate them.
Salesforce responded by disabling its Drift connection entirely, shutting down affected integrations. The company maintains the flaw did not originate from its platform but from an external vector. Google’s estimate of over 700 exposed organizations may still rise as investigators uncover more attack paths.
Exposure is not limited to current clients. Mandiant identified a possible case involving a former Drift user. In some instances, attackers accessed emails from a small number of Google Workspace accounts.
Attack Objectives and Open Questions
UNC6395, financially motivated, focused on stealing OAuth tokens. These enabled access to various services and the collection of sensitive data. Researchers say attackers prioritized technical credentials: AWS keys, VPN details, and Snowflake accounts.
The method shows a standard escalation scenario: exploiting one SaaS connector, then pivoting across interconnected environments.
The root cause of the initial breach remains undetermined. Mandiant confirms it is working with Salesloft Drift to trace the origin and implications within the vendor’s infrastructure. Carmakal noted ongoing updates will follow, showing that the scope and depth of the incident are still unfolding.
The Salesloft Drift breach highlights the fragility of hyperconnected SaaS ecosystems. A single connector flaw can cascade across hundreds of organizations. The unresolved issue: what security guarantees should vendors of integrations face to prevent such vectors from becoming weak links in global economic espionage?
Read more https://www.zataz.com/salesloft-drift-a-breach-beyond-salesforce/
