Google Salesforce Data Breach headlines are everywhere, with some posts claiming “2.5 billion Gmail users” are in danger. Here’s the reality, based on Google’s own advisory and independent reporting: attackers abused third-party integrations—specifically the Salesloft Drift ecosystem—to steal OAuth tokens and pull data from multiple companies’ Salesforce instances.
Google confirms that one of its corporate Salesforce systems was accessed and that a very small number of Google Workspace email accounts integrated with Salesloft may have been accessed via Drift Email tokens; the company says there was no compromise of Gmail or Google Cloud customer data.
At the same time, separate disclosures show how serious this campaign is across industries. Credit bureau TransUnion says a Salesforce-linked incident exposed data for over 4.4 million people in the U.S., and samples shared with reporters include names, addresses, dates of birth—and unredacted Social Security Numbers.
Key facts, verified
- Root of the campaign: Google Threat Intelligence (with Mandiant) attributes a widespread data-theft spree to actor UNC6395, who used stolen OAuth tokens tied to the Salesloft Drift app to fetch records from numerous Salesforce customer orgs.
- What Google confirmed: Attackers accessed a corporate Salesforce instance containing business contact info; Google later found Drift Email tokens had been used to access mailboxes for a very small number of Workspace users specifically configured with that integration. Google revoked tokens, disabled the integration, notified admins, and reiterates no Gmail/Google Cloud customer platforms were breached.
- TransUnion breach scale: More than 4.4M people affected in the U.S.; data samples include SSNs and support tickets taken from TransUnion’s Salesforce environment.
- Broader impact: Security outlets report that hundreds of Salesforce customers saw data accessed during this spree, underscoring the supply-chain risk of connected apps.
Takeaway: The “Gmail breached” narrative is misleading. The risk to everyday users comes from phishing and vishing waves fueled by contact data stolen from corporate CRMs—not from a direct mass theft of Gmail inboxes.
How the Google Salesforce data breach actually worked
UNC6395 didn’t smash down Google’s front door. Instead, they stole OAuth tokens tied to a third-party app (Salesloft Drift) that many companies connect to Salesforce. With those tokens, the actor could query Salesforce objects such as Users, Accounts, Cases, and Opportunities—data rich enough to supercharge social engineering and credential theft. Google’s advisory even lists example SOQL queries and IOCs that defenders should hunt for in logs.
On August 28, Google updated its post to add that the actor also compromised Drift Email tokens, which enabled access to a very small number of Google Workspace mailboxes only where customers had integrated Salesloft with Workspace email. Those tokens have since been revoked.
Security reporters say this was not an isolated case: the same modus operandi—compromised connected-app tokens—appears across organizations that paired Drift/Salesloft with Salesforce. That’s why you’re seeing synchronized advisories from Google researchers and enterprise security outlets.
Where the “2.5 billion Gmail users” claim comes from—and what’s off
Tabloid-style coverage conflated Gmail’s global user count with breach impact, implying all Gmail inboxes were exposed. Google’s statement does not support that. Instead, Google describes a corporate Salesforce system that stored business contact information and a targeted access to a very small number of Drift-integrated Workspace accounts—followed by revocation of tokens and disabling of the integration.
The real public-safety risk is a surge of convincing phishing/vishing that references your employer or past interactions, not a dump of Gmail passwords.
TransUnion: why this one hits differently
Unlike Google’s corporate-contacts case, the TransUnion disclosure is about consumer PII. The company’s notice and follow-up reporting confirm over 4.4 million affected individuals in the U.S., with samples showing names, addresses, phone numbers, dates of birth, and unredacted SSNs—plus customer-support tickets stored in Salesforce. That’s the kind of information criminals use for account takeover, loan fraud, and synthetic identities.
In short: the same campaign technique (abusing third-party tokens into Salesforce) can have very different consequences depending on what a victim organization kept inside its CRM.
What to do right now (individuals)
- Enable a phishing-resistant sign-in method. Turn on passkeys or at least multi-factor authentication for Google and any account that matters. Then complete Google’s Security Checkup to review recovery options and suspicious devices. (Google and independent outlets urge stronger auth given the phishing uptick.)
- Be vishing-aware. Google won’t call you out of the blue about “security,” and pressure tactics (“reset now or be locked out”) are classic social-engineering tells. Hang up and contact the company through an official channel.
- Expect smarter phish. Attackers may reference your workplace, vendor, or an ongoing ticket because CRM data helps them sound legit. Treat unexpected links and “login” pages with suspicion—even if the email signature looks perfect.
- If TransUnion notifies you: freeze your credit with all three bureaus, use identity-monitoring services offered, and watch for new-account alerts. Stolen SSNs enable long-tail fraud.
What to do right now (IT & security teams)
- Audit and prune connected apps. Inventory every Salesforce connected app; remove anything unused. Restrict scopes (avoid
full), enforce IP ranges, and shorten session lifetimes—Google’s post links exact Salesforce settings to change. - Rotate everything that touched Drift/Salesloft. Revoke and rotate OAuth tokens, API keys, and secrets. Search for the IOCs and SOQL queries Google published, and review Event Monitoring logs for Drift connection activity.
- Harden email integrations. If you integrated Drift Email with Workspace, review access logs around Aug. 8–18 and beyond; Google has already revoked tokens and disabled the integration, but you should verify mailbox access and reset credentials.
- Train help desks on vishing scripts. UNC-style groups pivot from data theft to phone-based social engineering; rehearse “no MFA over phone,” and provide a callback protocol. Google and Mandiant have previously documented these playbooks.
FAQ
Was Gmail “breached”?
No. Google reports no compromise of Gmail or Google Cloud customer platforms. A corporate Salesforce system with business contact info was accessed, and a small number of Workspace mailboxes tied to a specific third-party integration were potentially accessed via OAuth tokens; tokens were revoked and the integration disabled.
Who’s behind it?
Google tracks the actor as UNC6395. Some outlets reference ShinyHunters in adjacent Salesforce-theft activity; regardless of branding, the common thread is abusing connected-app tokens to exfiltrate CRM data.
Is my credit at risk because of Google’s issue?
Not from Google’s corporate contacts exposure. But the TransUnion breach tied to Salesforce is different data there reportedly includes SSNs, which can impact credit. Follow any TransUnion notice to enroll in monitoring and consider freezes.
How big is the overall campaign?
Security reporters cite hundreds of Salesforce customers impacted or probed, which fits Google’s “widespread” description. Expect more disclosures as companies complete investigations.
Bottom line
The Google Salesforce data breach is best understood as a supply-chain incident: attackers hijacked third-party OAuth tokens to siphon data from Salesforce—not as a direct mass breach of Gmail. For individuals, the practical risk is a flood of convincing phishing and vishing that borrows real details from CRM records.
For enterprises, it’s a wake-up call to treat connected apps as production-critical: least-privilege scopes, token rotation, IP policies, and continuous monitoring aren’t optional anymore. And as the TransUnion case shows, the stakes escalate when sensitive PII (like SSNs) lives in those systems.
Do the basics well—passkeys/MFA, security checkups, zero-trust on phone calls—and press your vendors about exactly how their integrations store and protect tokens. It’s not enough to lock your front door if the side gate is wide open.
Sources
Google Threat Intelligence & Mandiant joint advisory on Salesforce/Salesloft Drift campaign; update confirming limited Drift Email mailbox access and no Gmail/Google Cloud customer compromise.
TransUnion breach via Salesforce; scope & data types (incl. unredacted SSNs).
Coverage of widespread Salesforce data-theft campaign and third-party token abuse.
