Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Google Workspace integration visibility and step-up controls against stolen OAuth tokens

Defensive Guidance
First reported
Last updated
Happening score
H score 10
2 unique sources, 2 articles

Summary

Hide ▲

Google Workspace is responding to the Salesloft Drift token-abuse campaign by treating all authentication tokens stored in or connected to Drift as potentially compromised. Google said stolen OAuth tokens were used to access email from a small number of Google Workspace accounts on August 9, 2025, affecting only accounts explicitly configured to integrate with Salesloft and not Google Workspace or Alphabet itself. The broader activity cluster, UNC6395, used compromised Drift tokens against Salesforce instances from August 8 to 18, 2025, prompting token revocation, integration shutdowns, and review of connected third-party systems.

Related Happenings

Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication

Technical Analysis
First: 21.05.2026 23:07 Last: 21.05.2026 23:07 Sources 1

About this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Google rolls out Android Intrusion Logging in Android Advanced Protection Mode

Security Tool/Service
First: 14.05.2026 16:30 Last: 14.05.2026 16:30 Sources 1

About this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

Timeline

  1. 08.10.2025 17:02 1 articles · 7mo ago

    Google confirms stolen Drift Email token activity

    Initial Disclosure

    Google confirmed that a threat actor used stolen Drift Email tokens to access a small number of Google Workspace mailboxes that had explicitly integrated with Drift, then revoked the tokens and disabled the integration.

    Show sources
    Open in new tab
  2. 29.08.2025 10:24 1 articles · 9mo ago

    Google warns Salesloft Drift customers to treat stored tokens as compromised

    Mitigation Patch Update

    Google said the Salesloft Drift attack is broader than first thought, warning all Drift customers to treat any authentication tokens stored in or connected to Drift as potentially compromised. The company said stolen OAuth tokens were used to access email from a small number of Google Workspace accounts on August 9, 2025, revoked the specific Drift Email tokens, disabled the Google Workspace-Salesloft Drift integration, and urged organizations to review, revoke, and rotate credentials for connected third-party integrations.

    Show sources
    Open in new tab