Google is urging all users of the Salesloft Drift AI chat agent to assume that every security token associated with the platform may be compromised. The warning comes after investigators found that unknown attackers had used some of these credentials to gain unauthorized access to email belonging to Google Workspace accounts.
In response to the breach, Google has revoked all tokens involved in the attacks and has temporarily disabled the integration linking the Salesloft Drift agent with Workspace accounts. The company has also notified all impacted users while continuing a deeper investigation into the incident.
Compromise broader than first reported
The updated findings—published Thursday in a Google threat advisory—show that the earlier breach report underestimated the extent of the intrusion. Initially, the Google Threat Intelligence Group believed the stolen tokens were limited to Drift’s integration with Salesforce. However, the newly confirmed access to Workspace accounts prompted Google to reconsider the scope.
Google states that there is currently no evidence indicating that other Salesloft products or services outside of Drift have been compromised.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,” the advisory noted. “We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
As of Thursday, Salesloft’s own security guidance page did not mention Google’s expanded findings, still indicating that only Salesforce-related Drift integrations were impacted. Company representatives have not yet responded to requests seeking clarification regarding Google’s latest assessment.