Google has confirmed that the Salesloft Drift breach is more extensive than initially reported, impacting not just Salesforce integrations but also a small number of Google Workspace email accounts. The campaign, attributed to UNC6395 and revealed on August 26, initially centered on attackers stealing OAuth tokens linked to Drift’s AI chat integration with Salesforce. With these, intruders were able to run queries against critical objects like Cases, Accounts, Users, and Opportunities.
The data harvested from Salesforce environments included customer support tickets and sensitive communications, which in many cases contained cloud credentials such as AWS keys, Snowflake tokens, and plain passwords. For healthcare organizations, this type of compromise could expose protected health information (PHI) indirectly by enabling access to cloud platforms supporting clinical systems or patient services.
In its latest update, Google disclosed that Drift OAuth tokens tied to the Drift Email integration were also compromised. On August 9, attackers used these tokens to access the email of a “very small number” of Google Workspace accounts. While no broader breach of Google Workspace was found, the exposure raises particular concerns for healthcare providers, where even a small set of compromised accounts could result in unauthorized access to patient communications, scheduling systems, or sensitive internal correspondence.
Google has since revoked the affected tokens, disabled the Drift Email integration with Workspace, and informed impacted organizations. It is now urging all Drift customers to treat all connected authentication tokens as compromised, rotate credentials, and review logs for evidence of unauthorized access. These steps are critical for healthcare organizations where regulatory obligations under HIPAA demand thorough breach response and remediation.
Meanwhile, Salesloft has disabled Drift integrations with Salesforce, Slack, and Pardot while working with Mandiant and Coalition to investigate the incident further. The investigation aims to identify the scope of impact across customer organizations and restore trust in Drift’s integrations.
For healthcare providers, the Drift breach is a stark reminder of the risks tied to third-party SaaS integrations. Security leaders should prioritize credential rotation, auditing of third-party connections, and zero-trust integration policies to protect sensitive health data. Given the potential for OAuth token abuse, healthcare organizations must go beyond endpoint defenses and actively monitor cloud and email environments for signs of unauthorized access.
