Analysis

The mass theft of authentication tokens from Salesloft's Drift AI chatbot represents a significant supply-chain security incident with systemic implications for the enterprise software ecosystem. Google's Threat Intelligence Group (GTIG) confirmed that the breach, perpetrated by a group tracked as UNC6395, extends far beyond initial reports of Salesforce (CRM) access. The attackers exfiltrated data between August 8 and August 18, 2025, using stolen tokens to access numerous integrated platforms including Google Workspace (GOOG/GOOGL), Amazon S3 (AMZN), Microsoft Azure (MSFT), and OpenAI. The primary objective appears to be the acquisition of secondary credentials, such as AWS keys and access to Snowflake (SNOW) instances, to enable deeper, persistent compromise of victim environments. This attack methodology exploits a vulnerability described as "authorization sprawl," where legitimate, integrated access between cloud services becomes a vector for undetected lateral movement. In response, Salesforce has blocked the Drift integration, and Salesloft has engaged Google's Mandiant division for a root cause analysis, underscoring the severe reputational and operational risk for companies at the center of interconnected cloud architectures. While attribution remains officially unconfirmed by Google, the incident highlights the growing threat from sophisticated actors targeting pivotal third-party service providers.