Salesloft Breach
Google now reports that the Salesloft Drift breach is larger than initially thought. The company warns that attackers also used stolen OAuth tokens to access a small number of Google Workspace email accounts, in addition to stealing data from Salesforce instances.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,” warns Google.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
The campaign, tracked by Google Threat Intelligence (Mandiant) as UNC6395, first disclosed on August 26, involved attackers stealing OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce. The threat actors used these tokens to gain access to customer Salesforce instances, where they executed queries against Salesforce objects, including the Cases, Accounts, Users, and Opportunities tables.
This data allowed the attackers to scan customer support tickets and messages for sensitive information, such as AWS access keys, Snowflake tokens, and passwords that could facilitate further breaches of cloud accounts, likely for future extortion.
Google Workspace Accounts exposed
In an update published today, Google confirmed that the compromise was more significant than initially believed and not limited to Salesforce integrations.
The investigation revealed that attackers also compromised OAuth tokens for the “Drift Email” integration. On August 9, the threat actors utilized these tokens to access the email of a “very small number” of Google Workspace accounts that directly integrated with Drift.
Google emphasized that no other accounts in those domains experienced impact and that attackers did not compromise Google Workspace or Alphabet itself.
The stolen tokens have since been revoked, and customers have received notifications. Google also disabled the integration between Salesloft Drift Email and Google Workspace while investigating the breach.
Google now urges all organizations using Drift to treat every authentication token stored in or connected to the platform as compromised. This warning advises customers to revoke and rotate credentials for those applications and investigate all connected systems for signs of unauthorized access.
The company also recommends that users review all third-party integrations associated with Drift instances, search for exposed secrets, and reset any found credentials in case attackers have compromised them.
Salesloft updated its advisory on August 28, stating that Salesforce disabled Drift integrations with Salesforce, Slack, and Pardot until the investigation concludes.
The company has now engaged Mandiant and Coalition to assist with this investigation.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News