Google Warns of Expanded Token Compromise Affecting Salesloft Drift AI Agent

Google Warns of Expanded Token Compromise Affecting Salesloft Drift AI Agent

Key Points

  • Google warns that authentication tokens linked to Salesloft Drift may be compromised.
  • The company revoked compromised tokens and disabled Drift integration with Google Workspace.
  • New information shows the breach affects more than just Salesforce integrations.
  • Google advises all Drift customers to treat any stored or connected tokens as potentially compromised.
  • Salesloft’s public guidance still mentions only the Salesforce integration.
  • Users should review token usage, rotate credentials, and monitor for suspicious activity.
  • The disabled integration may disrupt workflows that rely on Drift and Workspace connectivity.

Google warns that mass data theft hitting Salesloft AI agent has grown bigger

Google’s Immediate Response

Google issued an advisory informing users of the Salesloft Drift AI chat agent that security tokens associated with the platform may have been accessed by unknown attackers. In reaction to the discovery, Google revoked the compromised tokens and disabled the integration between the Drift agent and all Google Workspace accounts. The company also notified affected account holders of the potential compromise while it continues its investigation.

Scope of the Compromise

Initial reports suggested the breach was limited to Drift integrations with Salesforce. However, further analysis revealed a broader impact. Google’s update states, “Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations.” This indicates that any authentication token stored in or connected to the Drift platform could be at risk, expanding the threat beyond the originally identified vector.

Guidance for Drift Customers

Google now advises all Salesloft Drift customers to treat any and all authentication tokens linked to the platform as potentially compromised. The recommendation includes reviewing token usage, rotating credentials where possible, and monitoring for suspicious activity. By disabling the integration, Google aims to prevent further unauthorized access while users assess their security posture.

Salesloft’s Public Position

Following Google’s expanded findings, Salesloft’s security guidance page continues to reference only the Salesforce integration as affected. The company has not the updated information on its public guidance and has not responded to inquiries seeking confirmation of Google’s broader assessment. This discrepancy highlights a gap between the two companies’ communications regarding the extent of the breach.

Implications for Users

Organizations that rely on the Drift AI agent for workflow automation or customer engagement should review their token management practices immediately. The revocation of tokens and disabled integration may disrupt existing processes that depend on seamless connectivity between Drift and Google Workspace. Users are encouraged to work with both Google and Salesloft to re-establish secure connections once the investigation concludes and updated guidance is released.

Source: arstechnica.com