Google has revealed that the recent wave of targets target attacks through salesloft flow is much widespread compared to before, stating that it affects all integrations.
“Now we recommend all the salesloft drift customers to treat any and all certification tokens or to be associated with the drift platform or potentially compromised,” Google Danger Intelligence Group (GTIG) and Mandiants said in an update advisory.
Tech veteran said that the attackers used the stolen tokens on August 9, 2025, after compromising the Oauth tokens for “drift email” integration, to reach email from a small number of Google workspace email accounts on August 9, 2025. It is worth noting that this is not a compromise of Google workspace or alphabet.
Google said, “Possible accounts that were potentially accessible were those who were especially configured to integrate with salesloft; the actor would not be able to reach any other accounts on the customer’s scripture domain,” said Google.
After the discovery, Google stated that it informed the affected users, canceled the specific Oauuth tokens given to the drift email application, and disabled integration functionality between Google workspace and salesloft flow amid the ongoing investigation into the incident.
The company is urging organizations using salesloft drifts to review all third-party integrations associated with their examples, cancel and rotate credentials for those applications, and check all connected systems for indications of unauthorized access.
The widespread of the radius of the attack, shortly after, Google exposed that it was described as a comprehensive and opportunistic data theft campaign, which allowed the actors of the danger, an emerging activity cluster dubbed UNC6395, which was compromised from the Othe Linge from the Othe Lool, which was compromised by the Cellsforce examples from 8 August to 18, 2025 to target Cellsforce examples to target examples. For.
Sailsloft has since revealed that the salesforce has temporarily deactivated the flow integration between salesforce, slack and pardot, to follow it only about three hours later, the salesforce has chosen to temporarily disable all salesloft integration with “salesforce.”
“Based on the investigation to date, there is no evidence of malicious activity in the cellsloft integration related to the flow of flows,” it is mentioned. “Additionally, at this time, there are no indications that cellsloft integration is compromised or at risk.”
