Attackers stole OAuth tokens from the Drift integration used by Salesloft to access Salesforce databases between August 8 and 18. The compromise allowed queries against Salesforce objects including cases, accounts, users, and opportunities. Initial findings indicate the attackers focused on stealing credentials and sensitive secrets such as AWS access keys, passwords, and Snowflake-related access tokens. Other high-profile Salesforce-related incidents over the summer have been attributed to ShinyHunters (UNC6240) and are not believed to be linked to this Drift/Salesloft compromise, which is tracked as UNC6395. All active access and refresh tokens were revoked and integrations must be re-authenticated.
Google says a recent spate of Salesforce-related breaches was caused by attackers stealing OAuth tokens from the third-party Salesloft Drift app. Drift is used for automating sales processes, and it integrates with Salesforce databases, pulling relevant information such as leads and contact details into the platform to help coordinate pitches. Crucially, the campaign is being treated separately from the attacks on high-profile organizations - including Google itself - that also involved Salesforce data thefts.
Attacks on the likes of Allianz Life, Workday, Qantas, LVMH brands, and more have been widely reported over the summer, but aren't thought to be linked to the Salesloft compromise. Instead, these incidents have widely been attributed to and claimed by the ShinyHunters group (UNC6240). Google says there isn't enough evidence to suggest the same attackers are behind the Salesloft incidents.
Collection
[
|
...
]