Google has urged users of the Salesloft Drift AI chat agent to assume all tokens linked to the platform are compromised after attackers used credentials to access Google Workspace email accounts. In response, Google revoked the tokens involved in the breaches and disabled Drift’s integration with Workspace accounts as it investigates further, with affected account holders notified.
A Thursday advisory update from Google Threat Intelligence Group says the breach is broader than initially disclosed and is not limited to Salesforce integrations. “We now advise all Salesloft Drift customers to treat any authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Salesloft’s own security guidance page had previously indicated that the breach affected only Drift integrations with Salesforce; Google’s update expands that scope, prompting a rethink of the overall threat surface. The company did not immediately respond to requests for confirmation.
The advisory notes that the scope includes other integrations with Drift beyond Salesforce and that Workspace accounts were affected, underscoring the risk of credential theft across connected apps. Salesforce has also acted, disabling Drift integrations with its Slack and Pardot platforms in response to the sequence of events.
Google recommends that Drift customers review all third‑party integrations, revoke and rotate credentials for connected apps, and investigate for signs of unauthorized access. The company has retained Mandiant to assist with incident response as the investigation continues.
