What's Happening?
Salesloft Drift has been compromised in a widespread attack affecting all third-party integrations. The attack, attributed to the threat group UNC6395, involves the retrieval of OAuth tokens for multiple services, allowing access to email and other credentials. The attackers primarily sought to steal credentials to compromise connected systems, including Amazon Web Services and VPN credentials. Google estimates that over 700 organizations are potentially impacted, with researchers still working to identify all paths of compromise. The root cause of the attacks remains unconfirmed, and Salesloft is collaborating with Mandiant and Google Cloud to investigate.
Why It's Important?
The compromise of Salesloft Drift highlights the vulnerabilities associated with third-party integrations in corporate environments. Organizations using Salesloft Drift are advised to treat any integration as potentially compromised, increasing the scope of potential victims. This incident underscores the importance of robust security measures and the need for companies to regularly review and update their integration protocols. The widespread impact of the attack could lead to significant disruptions in business operations and potential financial losses.
What's Next?
Salesloft is recommending customers to revoke existing API keys and rotate to new ones. Salesforce has disabled the connection between Drift and Salesforce, rendering those integrations defunct. As the investigation continues, organizations may need to reassess their security strategies and implement additional safeguards to prevent future breaches.
