What's Happening?
Salesforce customers have been targeted in a significant data theft campaign involving compromised OAuth tokens linked to the Salesloft Drift application. The attack, identified by Google Threat Intelligence Group (GTIG), was carried out by a threat actor known as UNC6395. Between August 8 and August 18, the attackers systematically exfiltrated large volumes of data from numerous Salesforce customer instances. The primary aim was to harvest credentials, including Amazon Web Services access keys and Snowflake-related tokens. Salesloft has revoked all active access and refresh tokens for the Drift app, and Salesforce has removed the app from its AppExchange while investigations continue.
AD
Why It's Important?
This incident underscores the vulnerabilities associated with third-party integrations and the potential for widespread data breaches. The attack highlights the risks of non-human identities (NHIs) and the need for organizations to maintain a comprehensive inventory of such assets. The scale and discipline of the attack suggest a high level of operational sophistication, raising concerns about the potential involvement of state actors. The breach could have significant implications for affected organizations, including financial losses and reputational damage. It also emphasizes the importance of robust security measures and incident response strategies to mitigate such threats.
What's Next?
Organizations using the Salesloft Drift integration with Salesforce are advised to consider their data compromised and take immediate remedial actions. This includes revoking API keys, rotating credentials, and conducting thorough investigations to assess the extent of the breach. Salesforce and Salesloft are expected to continue their investigations to determine the full impact and prevent future incidents. The cybersecurity community will likely monitor the situation closely for any further developments or similar attacks.
