Particle.news
Download on the App Store
7 ARTICLES
·
1h ago

Salesloft Breach Exposed Drift Tokens Used to Hit Hundreds of Salesforce Customers

Investigators say the spree focused on harvesting plaintext secrets to enable further attacks on victims’ cloud and access systems.

Image
Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach
Image

Overview

  • Google Threat Intelligence Group is tracking the activity as UNC6395 and reports more than 700 potentially impacted organizations during attacks from August 8–18.
  • Using a single stolen Salesloft Drift token, the actor accessed tokens for any Drift-linked organization and automated data theft with Python tools and SOQL queries.
  • Salesloft and Salesforce revoked all Drift access and refresh tokens by August 20, the attacks ceased, and affected customers were notified to reauthenticate.
  • Salesforce removed the Drift app from AppExchange during the probe, and Salesloft engaged an incident response firm to investigate the intrusion.
  • Google and Salesloft advise Drift-integrated customers to assume compromise, rotate credentials and API keys, review logs and IoCs, and search for exposed strings such as AKIA, Snowflake credentials, passwords, and VPN or SSO details.