Modern work does not live in one app. It lives in a mesh of email, files, chat, and a web of connectors that shuttle data between them. That is why the Salesloft/Drift incident landed with such force for Google Workspace teams. No one “hacked Google.” Attackers rode a trusted integration and ended up with exactly what they wanted: data.
In early August, the same threat actor that plundered Salesforce records via compromised OAuth tokens also used stolen Drift Email tokens to access a small number of Google Workspace mailboxes that had explicitly integrated with Drift.
On August 9, Google confirmed that activity, revoked the tokens, and disabled the integration. It was a clean illustration of how delegated access can sidestep your usual guardrails.
When the App Graph Becomes the Attack Surface
If you have spent the past few years tightening identity, hardening MFA, and killing legacy protocols, this might feel unfair. You can do all of that and still lose ground to a third‑party token with perfectly legitimate scopes.
The uncomfortable truth is that the attack surface is now the app graph—the lattice of OAuth grants and API permissions that bind your SaaS together.
The security story is no longer about whether a login prompt fired. It is about what an integration is allowed to do once it is in.
What Customers Actually Felt During Salesloft/Drift
We spent the days after the disclosure talking with customers. The mood was not panic; it was a measured assessment. Our threat research team built a series of detections to scan for IOCs related to the breach. Teams mapped where Drift was connected, pruned access, and rotated keys.
With Material in place, the attacker’s dwell time becomes largely irrelevant. Material’s Account Takeover Resilience protects the sensitive mailbox data at rest, so while the token could have given access to the mailbox, access to the most sensitive data still demanded a human step‑up.
... continue reading