Salesloft Drift Breach Exposes Customer Data, Impacting Major Tech Companies

Salesloft says Drift customer data thefts linked to March GitHub account hack | TechCrunch

Salesloft said a breach of its GitHub account in March allowed hackers to steal authentication tokens that were later used in a mass-hack targeting several of its big tech customers. Citing an investigation by Google's incident response unit Mandiant, Salesloft said on its data breach page that the as-yet-unnamed hackers accessed Salesloft's GitHub account and performed reconnaissance activities from March until June, which allowed them to download "content from multiple repositories, add a guest user and establish workflows." The timeline raises fresh questions about the company's security posture, including why it took Salesloft some six months to detect the intrusion. Salesloft said that the incident is now "contained." After the hackers broke into its GitHub account, the company said the hackers accessed the Amazon Web Services cloud environment of Salesloft's AI and chatbot-powered marketing platform Drift, which allowed them to steal OAuth tokens for Drift's customers. OAuth is a standard that allows users to authorize one app or service to connect to another. By relying on OAuth, Drift can integrate with platforms like Salesforce and others to interact with website visitors. In stealing these tokens, the threat actors breached several Salesloft's customers, such as Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among others, many of which are likely still unknown. Google's Threat Intelligence Group revealed the supply chain breach late in August, attributing it to a hacking group it calls UNC6395. Cybersecurity publications DataBreaches.net and Bleeping Computer previously reported that the hackers behind the breach are the prolific hacking group known as ShinyHunters. The hackers are believed to be trying to extort victims by contacting them privately. By accessing Salesloft tokens, the hackers then access Salesforce instances, where they stole sensitive data contained in support tickets. "The actor's primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens," Salesloft said on August 26.

Zscaler data breach exposes customer info after Salesloft Drift compromise

Cybersecurity company Zscaler warns it suffered a data breach after threat actors gained access to its Salesforce instance and stole customer information, including the contents of support cases. This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information. "As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," reads Zscaler's advisory. "Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler's Salesforce information." The exposed information includes the following: The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure. While Zscaler states that it has detected no misuse of this information, it recommends that customers remain vigilant against potential phishing and social engineering attacks that could exploit this information. The company also says it has revoked all Salesloft Drift integrations to its Salesforce instance, rotated other API tokens, and is conducting an investigation into the incident. Zscaler has also strengthened its customer authentication protocol when responding to customer support calls to guard against social engineering attacks. Google Threat Intelligence warned last week that a threat actor, tracked as UNC6395, is behind the attacks, stealing support cases to harvest authentication tokens, passwords, and secrets shared by customers when requesting support. "GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens," reports Google. "UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure." It was later revealed that the Salesloft supply-chain attack not only impacted Drift Salesforce integration, but also Drift Email, which is used to manage email replies and organize CRM and marketing automation databases. Google warned last week that attackers also used stolen OAuth tokens to access Google Workspace email accounts and read emails as part of this breach. Google and Salesforce have temporarily disabled their Drift integrations pending the completion of an investigation. Some researchers have told BleepingComputer that they believe the Salesloft Drift compromise overlaps with the recent Salesforce data theft attacks by the ShinyHunters extortion group. Since the beginning of the year, the threat actors have been conducting social engineering attacks to breach Salesforce instances and download data. During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.

Zscaler says it suffered data breach following Salesloft Drift compromise

The attackers moved in after compromising Salesloft's Drift platform We can now add Zscaler to the growing list of Salesloft customers who suffered a third-party cyberattack and lost sensitive customer information after it confirmed data was taken. In the announcement, Zscaler explained it was a customer of Salesloft, whose AI chat platform, Salesloft Drift, was compromised. Since this platform connects with Salesforce, the miscreants managed to move laterally, stealing OAuth and refresh tokens, and accessing data from customers such as Zscaler. The company stressed its systems and products were not compromised, just the data: "The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler's products, services or underlying systems and infrastructure," it said. Still, the attackers managed to steal names, business email addresses, job titles, phone numbers, regional and location details, Zscaler product licensing and commercial information, as well as content from certain support cases. The company said that so far, there is no evidence of the data being abused in the wild, but it still asked its users to remain vigilant and wary of incoming phishing and social engineering attacks. Zscaler also said it revoked all Salesloft Drift integrations, rotated API tokens, and kicked off an in-depth investigation. So far, attribution of the attack was rather challenging. Google's Threat Intelligence Group (GTIG) believes it to be the work of a threat actor it tracks as UNC6395. ShinyHunters, a known ransomware operator and data thief, also assumed responsibility, a claim confirmed to the media by multiple security researchers.

Zscaler: Salesloft Drift breach exposed customer data

Zscaler warns customer data exposed after Salesforce integration hack. Zscaler, a cybersecurity firm, has issued a warning regarding a data breach affecting its customers. The breach stemmed from a compromise of its Salesforce instance following a supply-chain attack targeting Salesloft Drift. Attackers accessed OAuth and refresh tokens, which facilitated unauthorized access to Zscaler's Salesforce environment and the exfiltration of sensitive customer data. Zscaler's advisory states that the compromise of Salesloft Drift, an AI chat agent integrated with Salesforce, led to the exposure. The attackers exploited stolen OAuth and refresh tokens to gain access to customer Salesforce environments. Zscaler's statement highlights that "unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," further noting that these credentials "allowed limited access to some Zscaler's Salesforce information." The data exposed in the breach includes a range of customer information. This encompasses names, business email addresses, job titles, phone numbers, regional or location details, and Zscaler product licensing and commercial information. The breach also exposed content from certain support cases. Zscaler emphasized that the incident was isolated to its Salesforce instance and did not affect any Zscaler products, services, or underlying infrastructure. While Zscaler has not detected any misuse of the exfiltrated data, the company is urging customers to exercise caution. Customers are advised to be vigilant against potential phishing and social engineering attacks that could leverage the exposed information. As a precautionary measure, Zscaler has revoked all Salesloft Drift integrations with its Salesforce instance and rotated other API tokens. An internal investigation into the incident is currently underway. To further mitigate risks, Zscaler has enhanced its customer authentication protocol for support calls to prevent social engineering attempts. Google Threat Intelligence identified UNC6395 as the threat actor behind the attacks. This actor is known for targeting sensitive credentials, including Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. Google's report indicated that "GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake‑related access tokens." The report also mentioned that "UNC6395 demonstrated operational security awareness by deleting query jobs; however, logs were not impacted, and organizations should still review relevant logs for evidence of data exposure." The Salesloft supply-chain attack extended beyond the Drift Salesforce integration. It also impacted Drift Email, a tool used for managing email replies and organizing CRM and marketing automation databases. Attackers are reported to have exploited stolen OAuth tokens to access Google Workspace email accounts and read emails. This broader impact prompted Google and Salesforce to temporarily disable their Drift integrations pending the completion of the ongoing investigation. Some researchers have suggested a potential connection between the Salesloft Drift compromise and recent Salesforce data theft attacks attributed to the ShinyHunters extortion group. The specific details of this connection are still under investigation, and further information is needed to confirm any direct links between these incidents.