The recent Salesforce–Salesloft Drift attack, first disclosed by Google’s threat intelligence team on August 26, leveraged compromised OAuth tokens for the third-party AI chatbot Salesloft Drift to exfiltrate large volumes of data. The threat actor, identified as UNC6395, exploited the integration between Salesforce and Salesloft Drift. Initially, it was believed that only organizations that used the Drift integration were impacted, but the scope of the campaign was later found to be much broader. This campaign’s primary goal was to target sensitive information, such as AWS access keys, passwords, and Snowflake-related access tokens, affecting hundreds of organizations.
The attack’s full extent quickly became apparent, as it was not limited to just the Salesforce–Salesloft Drift integration. On August 28, Google confirmed that its Workspace customers were also affected. This was followed by similar disclosures from security firms like Cloudflare, Palo Alto Networks, and Zscaler, who also reported being impacted. The total number of organizations affected by the attack is now estimated to be over 700. Among those confirming their compromise are major cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable, highlighting the widespread and significant nature of the breach.
Four major cybersecurity firms—Proofpoint, SpyCloud, Tanium, and Tenable—have each confirmed that their Salesforce instances were compromised in this supply chain incident. Proofpoint stated that the attackers viewed information within their Salesforce tenant, but found no evidence that the attack affected its software, services, or customer data. SpyCloud, a former Salesloft Drift customer, reported that standard customer relationship management fields were compromised, and reassured its customers that their relationship data was exposed but no consumer data was accessed. These confirmations underscore how attackers can exploit supply chain vulnerabilities to gain access to sensitive corporate information, even when the primary targets are not direct users of the compromised third-party application.
The specific data compromised varied among the affected companies. Tanium confirmed that information such as names, email addresses, phone numbers, and location references was compromised via the Salesloft Drift integration, but stressed that their main platform and internal systems were not accessed. Tenable reported that support case information, including subject lines, descriptions, and business contact details, was compromised. Both companies noted that there was no evidence of further access or misuse of the stolen information, and that they had taken immediate action to address the issue. These actions included rotating credentials, removing the malicious application, and enhancing system monitoring to prevent future breaches.
The swift response from the affected organizations illustrates the critical importance of a robust incident response plan. By immediately notifying customers, rotating credentials, and securing their systems, these firms mitigated the potential for further damage. This incident serves as a significant reminder that even the most secure organizations are susceptible to supply chain attacks, where vulnerabilities in third-party services can be exploited to access sensitive internal data. The attack highlights the need for continuous security monitoring and a proactive approach to managing third-party integrations, ensuring that all access points are secure and routinely audited to protect against similar sophisticated threats.
Reference:
