What's Happening?
Salesforce customers have been targeted in a widespread data theft campaign involving compromised OAuth tokens linked to the Salesloft Drift application. The campaign, identified by Google Threat Intelligence Group, saw a threat actor known as UNC6395 systematically exfiltrating large volumes of data from numerous Salesforce customer instances between August 8 and August 18. The attacker focused on harvesting credentials, including Amazon Web Services access keys and Snowflake-related access tokens. Salesloft has revoked all active access and refresh tokens for the Drift app, requiring admins to reauthenticate their Salesforce connection. Salesforce has removed the Drift app from its AppExchange while an investigation is underway.
Why It's Important?
The data theft campaign highlights significant vulnerabilities in third-party integrations with Salesforce, posing risks to sensitive customer data. Organizations using Salesforce are urged to review their security protocols and take immediate action to protect their data. The incident underscores the importance of safeguarding non-human identities and credentials, which are increasingly targeted by sophisticated cyber threats. The scale and coordination of the attack suggest potential involvement of state actors, raising concerns about national security and the protection of corporate data.
What's Next?
Salesforce customers are advised to search for sensitive information within their Salesforce objects and take appropriate actions, such as revoking API keys and rotating credentials. Salesloft has hired an incident response specialist to investigate the breach further. As more victim names emerge from parallel data extortion campaigns, companies are likely to enhance their cybersecurity measures and scrutinize third-party app integrations more closely.
Beyond the Headlines
The attack on Salesforce via the Salesloft Drift app highlights the growing challenge of protecting non-human identities in digital environments. As cyber threats evolve, organizations must develop comprehensive inventories of their digital assets and implement advanced security measures to detect and prevent unauthorized access. The incident also raises ethical questions about data privacy and the responsibility of tech companies to safeguard user information.
