Google has issued a new warning about the ongoing Salesloft Drift breach, revealing that the scope of the compromise is more extensive than initially believed. While the initial focus was on the theft of OAuth tokens used to access customer Salesforce instances, Google’s investigation has now confirmed that a “very small number” of Google Workspace email accounts were also accessed by the attackers. The threat actors, identified as UNC6395, used compromised tokens from the “Drift Email” integration to gain unauthorized access to these accounts. This discovery broadens the attack’s scope beyond the Salesforce integration, impacting other connected services.
The campaign, first reported on August 26, began with attackers exploiting the Salesloft Drift AI chat integration with Salesforce. The threat actors used stolen OAuth tokens to execute queries against various Salesforce objects, including Cases, Accounts, Users, and Opportunities. Their primary objective was to exfiltrate large volumes of data and, more specifically, to harvest sensitive credentials. The stolen data was then scanned for valuable information like AWS access keys, Snowflake tokens, and passwords, which could be used to facilitate future attacks and potential extortion.
In response to the new findings, Google has taken swift action to protect its users. The company has identified the impacted Google Workspace accounts and revoked the specific OAuth tokens granted to the Drift Email application. Furthermore, Google has disabled the integration functionality between Google Workspace and Salesloft Drift as a precautionary measure while the investigation continues. It is important to note that Google has emphasized that this was not a compromise of Google Workspace or Alphabet itself, but rather a targeted attack on accounts with a direct integration to the vulnerable Drift platform.
The broadening of the attack’s scope has led Google to issue a more urgent and comprehensive warning to all organizations using Drift. Google is now advising all Salesloft Drift customers to “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” This recommendation urges customers to immediately revoke and rotate credentials for any applications integrated with Drift and to conduct thorough investigations of all connected systems for any signs of unauthorized access.
Both Google and Salesloft have been collaborating to address the incident. Salesloft has also engaged Mandiant and Coalition to assist with their investigation and has updated its advisory to reflect the latest findings. As a result of the ongoing investigation and heightened security concerns, Salesforce has temporarily disabled all Salesloft integrations with Salesforce, Slack, and Pardot. These steps underscore the severity of the supply chain attack, highlighting the critical need for organizations to proactively manage and secure third-party integrations.
Reference: