Google Threat Intelligence Group (GTIG), in collaboration with Mandiant, has issued an urgent warning to organizations worldwide, revealing that a widespread data theft campaign originating from the ‘Salesloft Drift’ AI agent is more extensive than initially believed. The campaign, which is being attributed to the threat actor tracked as UNC6395, has resulted in the compromise of hundreds of Salesforce customer instances and, more recently, a limited number of Google Workspace accounts.
The attacks, which occurred between August 8 and August 18, 2025, exploited compromised OAuth tokens associated with the Salesloft Drift third-party application. Rather than directly breaching the core platforms, the threat actor leveraged the app’s compromised connection to systematically exfiltrate vast amounts of data. According to GTIG, the primary objective of the campaign was to “harvest credentials” and other sensitive information, including AWS access keys, passwords, and Snowflake-related tokens, to enable further attacks on victim environments.
Initial investigations focused on the Salesforce integration, but Google’s latest advisory confirms that the scope extends to other integrations. The threat actor also used stolen OAuth tokens from the “Drift Email” integration to access a small number of Google Workspace email accounts. Google has clarified that this was not a compromise of its core platforms but a vulnerability tied to the specific third-party app integration.
In response to the escalating threat, Google has taken swift action, revoking the compromised OAuth tokens, disabling the affected integration with Google Workspace, and notifying all impacted administrators. Both Google and Salesloft are urging all customers to treat any and all authentication tokens connected to the Drift platform as potentially compromised.
This incident highlights a growing vulnerability in the interconnected SaaS ecosystem, where the security of one third-party application can become a weak point for multiple, business-critical platforms. Cybersecurity experts emphasize the need for organizations to conduct thorough reviews of all third-party integrations, revoke and rotate credentials, and diligently investigate their logs for signs of unauthorized access. The campaign underscores that even a single compromised AI agent can serve as a conduit for a much larger and more damaging supply-chain attack.
