In our recent blog, SaaS Supply Chain Failures: What the Salesloft Drift Attack Taught Us About Customer Trust, we explored how attackers weaponized OAuth tokens from Salesloft Drift to compromise Salesforce data at Zscaler, Palo Alto Networks, Cloudflare, and hundreds of other organizations. 

New intelligence shows the breach didn’t stop at Salesforce. According to Google Cloud’s Threat Intelligence team, the same campaign also exploited Drift integrations with Google Workspace—exposing email, documents, and collaboration systems at Alphabet and other organizations. 

This wasn’t just a CRM compromise. It was a core productivity compromise. And it signals a broader problem: once SaaS integrations are abused, attackers can pivot into business-critical platforms far beyond the initial vendor. 

What the Expanded Breach Reveals 

Salesforce Was Just the First Door
Attackers systematically queried Salesforce objects like Accounts, Opportunities, Cases, and Users. They didn’t smash and grab—they exfiltrated selectively and deleted logs to cover their tracks . 

Google Workspace Became the Next Target
OAuth tokens tied to Drift’s Gmail integration gave attackers limited but powerful access to Workspace accounts. Alphabet confirmed exposure of internal communications data, proving the pivot from CRM to collaboration . 

Secrets and Persistence Were Priorities
Beyond data, attackers targeted AWS keys, Snowflake tokens, and API credentials embedded in Salesforce records. They weren’t just stealing customer lists—they were planting footholds for broader compromise . 

The Supply Chain Is the Real Vulnerability
Drift wasn’t the end goal—it was the entry point. The campaign demonstrated that attackers are mapping SaaS interconnections as deliberately as enterprises design them. 

Why This Matters More Than Salesforce 

• Email and collaboration systems are crown jewels. If attackers can read, impersonate, or tamper with executive email, the downstream risk spans fraud, insider trading, and reputational fallout. 

• OAuth tokens outlast password resets. Compromised integrations remain valid until explicitly revoked. 

• Your SaaS ecosystem is only as secure as its weakest integration. A single overlooked vendor app can connect attackers directly to your most critical systems. 

How Organizations Can Respond Now 

1. Revoke and Rotate OAuth Tokens
   Treat all Drift-linked Salesforce and Google Workspace tokens as compromised until proven otherwise.
2. Search Logs for Stealthy Exfiltration
   Google recommends reviewing SOQL queries, log deletions, and Tor-based access attempts for hidden attacker activity.
3. Reduce Integration Scope
   Avoid “all access” permissions when connecting SaaS tools. Limit integrations to the least privilege required.
4. Harden SaaS Access Controls
   Apply MFA, IP allowlists, and session timeouts to Salesforce and Workspace accounts with elevated permissions.
5. Make SaaS Risk a Continuous Priority
   Third-party risk management must include ongoing monitoring of SaaS integrations—not just point-in-time reviews.

How Carson & SAINT Helps Contain SaaS Supply Chain Risk 

At Carson & SAINT, we help organizations protect themselves against SaaS supply-chain compromises with: 

• Third-Party Risk Assessments that evaluate how integrations and tokens expand the attack surface. 

• Penetration Testing for SaaS ecosystems that simulate OAuth token theft and cross-platform pivoting. 

• SAINT VRM to prioritize SaaS vulnerabilities by business impact, not raw volume. 

• Incident Response Assessments that helps organizations revoke tokens, validate exposure, and harden defenses in real time. 

We go beyond awareness. We help you build resilience—because customer trust depends on it. 

Don’t Wait for the Next Pivot 

The Salesloft Drift campaign is no longer just a Salesforce problem—it’s a SaaS ecosystem problem. When integrations cross from CRM to collaboration, attackers aren’t stealing data. They’re stealing the fabric of how your organization works. 

Don’t wait until the next pivot reaches your core systems. Let’s review your SaaS exposure now, and close the gaps before attackers do. 

Contact us today to schedule a SaaS risk assessment.