Salesloft pinned the root cause of the Drift supply-chain attacks to a threat group gaining access to its GitHub account as far back as March, the company said in an update Saturday. 

During a 10-day period in mid-August, the threat group compromised and stole data from hundreds of organizations. 

The threat group, which Google tracks as UNC6395, spent time lurking in the Salesloft application environment, downloaded content from multiple repositories, added a guest user and set up workflows over a monthslong period through June, according to Salesloft. 

“The threat actor then accessed Drift’s Amazon Web Services environment and obtained OAuth tokens for Drift customers’ technology integrations,” the company said. “The threat actor used the stolen OAuth tokens to access data via Drift integrations.”

The update marks the most significant details shared yet by Salesloft since Google security researchers first warned about the “widespread data theft campaign” last month. The company is still withholding key details as its incident response firm, Mandiant, has transitioned to confirm the quality of its forensic investigation.

Salesloft has not explained how its GitHub account was accessed, what attackers did in its environment, nor how the threat group accessed Drift’s AWS environment and obtained OAuth tokens. The company also hasn’t explained why OAuth tokens were stored in the cloud environment, and if the stolen OAuth tokens were for internal integrations with third-party platforms or customers’ OAuth tokens for individual integrations.

The company has not responded to multiple requests for comment dating back to Aug. 26, when news of the attacks first surfaced.

Analysts and researchers acknowledge that Salesloft may still be seeking definitive answers about what went wrong, yet the company already misfired when it erroneously claimed exposure was limited to Drift customer instances integrated with Salesforce. Days later, Google Cloud’s incident response firm Mandiant said Salesloft Drift customers were compromised en masse, potentially snagging any user that integrated the AI chat agent platform to another third-party service.

“I don’t think they’re being fully transparent. They’re still holding some stuff back,” said Paddy Harrington, senior analyst at Forrester.

Salesloft’s post-incident investigation thus far underscores multiple areas where the company’s security practices and controls were apparently less than adequate, according to Harrington. 

Nathaniel Jones, VP of security and AI strategy at Darktrace, said he hopes more information will be shared once the investigation is complete. “They’ve confirmed the breach and downstream impacts but stopped short of saying how the attacker got in,” he added.

“They’ve boxed in the Drift environment, taken it offline, rotated credentials, and emphasized containment. That’s all good practice,” Jones said.

Salesloft took Drift offline Friday and said the move was temporary “to fortify the security of the application and its associated infrastructure.” Salesloft rotated all centrally managed keys for OAuth users, but customers who manage Drift connections to third-party applications via API keys need to revoke existing keys directly with the third-party provider’s application, the company said. 

The Salesloft platform, which has been technically segmented from Drift and confirmed uncompromised, according to Mandiant, restored connections with Salesforce Sunday, the company said. 

Salesloft doesn’t know when Drift will be restored and brought back online. Yet, the company may need to make significant changes to regain trust as the lingering and still unknown effects of the damage caused by the breach stain Drift’s reputation.

“They’re probably going to have to rename that thing. The name alone is now totally tainted,” Harrington said. “They could reintroduce the product, but they’re going to have to totally talk about a rearchitecture change.”

Key details are still missing about how the attack occurred, and customers need to understand the true scope of the supply-chain attack and the extent of data stolen, he added.

“We’re in a time where attackers are going to find the least-protected asset and they’re going to go for it, and they struck gold here. Holy crap, did they strike gold,” Harrington said. “This thing just keeps getting worse and worse and worse.”

The post Salesloft Drift security incident started with undetected GitHub access appeared first on CyberScoop.

Salesloft Drift customers are compromised in a much more expansive downstream attack spree than previously thought, potentially ensnaring any user that integrated the AI chat agent platform to another service.

“We’re telling organizations to treat any Drift integration into any platform as potentially compromised, so that increases the scope of victims,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. This expanded attack radius includes Google Workspace customers that integrated Salesloft Drift into their instances. Victims have been notified that Google has found evidence of compromise.

Freshly uncovered evidence proves the threat actors, which Google tracks as UNC6395, didn’t just hit Salesforce customers who used Salesloft Drift, as Salesloft claimed Tuesday. 

“This just really blows wide open the scope here,” said Austin Larsen, principal threat analyst at Google Threat Intelligence Group.

Salesloft Drift provides integrations with 58 third-party tools for customer relationship management, automation, analytics, sales, communications and support, according to a third-party integration guide the vendor updated last month.

Salesloft updated its security blog to confirm that impact is much more severe and widespread. The company said it’s working with Mandiant, Google Cloud’s incident response division, and cyber insurer Coalition to assist in an ongoing investigation.

The sales engagement platform, a variant of CRM, is now recommending all Drift customers who manage connections to third-party applications via API key to revoke the existing key and rotate to a new key. Salesloft, which acquired Drift in February 2024, did not respond to a request for comment. 

In response to the widening security incident, Salesforce said late Wednesday it disabled the connection between Drift and Salesforce, rendering those integrations defunct. Salesforce declined to answer questions and maintains the issue does not involve a vulnerability in the Salesforce platform.

While the number of victims has grown, Google is sticking to the estimates it shared Tuesday, reiterating that more than 700 organizations are potentially impacted. Yet, it’s clear researchers are still working to identify all potential paths of compromise. 

“We’ve seen evidence of other platforms that were impacted as well,” Carmakal said.

The exposure could also involve former Drift customers. Mandiant identified one victim that may have been a former Drift customer, but researchers are still working to confirm those details. 

GTIG said the financially motivated threat group UNC6395 has also retrieved OAuth tokens for multiple services, including some that allowed it to “access email from a very small number of Google Workspace accounts.” The attackers primarily sought to steal credentials to compromise other systems connected to initial victims, as it specifically searched for Amazon Web Services access keys, virtual private network credentials and Snowflake credentials.

The root cause of the attacks, specifically how UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. Researchers are also working to determine the full extent of the compromise within Salesloft Drift’s infrastructure.

“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Carmakal said. “There will be a lot more tomorrow, and the next day, and the next day.”

The post Salesloft Drift compromised en masse, impacting all third-party integrations appeared first on CyberScoop.

Google Threat Intelligence Group warned about a “widespread data theft campaign” that compromised hundreds of Salesforce customers over a 10-day span earlier this month. 

According to a report published Tuesday, researchers say a threat group Google tracks as UNC6395 stole large volumes of data from Salesforce customer instances by using stolen OAuth tokens from Salesloft Drift, a third-party AI chat agent for sales and leads. Google said the attack spree occurred from at least Aug. 8 to Aug. 18.

“GTIG is aware of over 700 potentially impacted organizations,” Austin Larsen, principal threat analyst at GTIG, told CyberScoop. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”

The attackers primarily sought to steal credentials to compromise other systems connected to the initial victims, according to Google. UNC6395 specifically searched for Amazon Web Services access keys, virtual private network credentials and Snowflake credentials.

“Using a single token stolen from Salesloft, the threat actor was able to access tokens for any Drift linked organization. The threat actor then used the Salesforce tokens to directly access that data and exfiltrate it to servers, where they looked for plaintext credentials including Amazon, Snowflake and other passwords,” said Tyler McLellan, principal threat analyst at GTIG.

Mandiant Consulting, Google’s incident response firm, hasn’t observed further use of the stolen credentials in any current investigations, he said. 

Salesloft confirmed the intrusions in a security update Monday and said all impacted customers have been notified. The company first issued an alert about malicious activity targeting Salesloft Drift applications integrated with Salesforce Aug. 19. 

Salesloft said it worked with Salesforce to revoke all active access and refresh tokens for the application and asserts the impact is limited to customers integrated with Salesforce. Google said the attacks stopped once Salesloft and Salesforce revoked access on Aug. 20. 

Salesforce, in a statement Tuesday, said a “small number of customers” were impacted, adding “this issue did not stem from a vulnerability within the core Salesforce platform, but rather from a compromise of the app’s connection.” 

Google advised Salesloft Drift customers integrated with Salesforce to consider their data compromised, search for secrets contained in their Salesforce instances and remediate by revoking API keys, rotating credentials and investigating further. 

Google hasn’t yet determined UNC6395’s origins or motivations. The attack spree was “broad and opportunistic, and appeared to take advantage of any organization using the Salesloft Drift integration with Salesforce,” McLellan said.

AppOmni CSO Cory Michal said the compromise and abuse of OAuth tokens and cloud-to-cloud integrations are a longtime known blind spot in most enterprises. Yet, the sheer scale and discipline of the attacks is surprising, he said. 

“The attacker methodically queried and exported data across many environments,” Michal added. “They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus and tradecraft makes this campaign stand out.”

The post Hundreds of Salesforce customers impacted by attack spree linked to third-party AI agent appeared first on CyberScoop.