Overview

• Google says attackers used OAuth tokens from the Drift Email integration to access a very small number of Google Workspace accounts on August 9, then revoked those tokens, disabled the integration, and notified administrators.
• Investigators report data exfiltration from Salesforce between August 8 and 18 using compromised OAuth tokens, with targeted harvesting of secrets such as AWS access keys and Snowflake tokens.
• Salesforce and Salesloft revoked Drift–Salesforce connections and removed the app from AppExchange, requiring administrators to re‑authenticate affected integrations.
• Organizations are advised to review all Drift-linked integrations, revoke and rotate credentials, scrutinize logs for unauthorized access, and inspect Salesforce objects for exposed secrets.
• Attribution remains unsettled as GTIG links the activity to UNC6395 while ShinyHunters claims responsibility, and vendors say the number of directly affected customers appears small yet the overall scope is still unclear.