Salesloft & Drift Data Breach: GitHub Hack Connection
Salesloft Data Breach and Subsequent Customer Impact
Salesloft reported a security incident stemming from a breach of its GitHub account in March. This compromise enabled unauthorized actors to acquire authentication tokens.
These stolen tokens were subsequently leveraged to execute a widespread attack targeting numerous prominent technology clients of Salesloft.
Details of the GitHub Account Breach
An investigation conducted by Google’s Mandiant incident response team revealed that the attackers gained access to Salesloft’s GitHub account between March and June. During this period, they engaged in reconnaissance and successfully downloaded content from various repositories.
The unauthorized access also involved the addition of a guest user and the establishment of automated workflows within the GitHub environment.
The extended timeframe between the initial intrusion and its detection is prompting scrutiny of Salesloft’s security protocols.
Salesloft has stated that the incident has now been contained.
Impact on Drift and Customer Accounts
Following the initial breach, the attackers exploited access to Salesloft’s AI and chatbot-powered marketing platform, Drift, via its Amazon Web Services (AWS) cloud environment.
This allowed them to steal OAuth tokens belonging to Drift’s customers. OAuth is a widely used standard that facilitates secure authorization between applications and services.
Through OAuth, Drift integrates with platforms like Salesforce to engage with website visitors.
The compromise of these tokens resulted in breaches affecting several of Salesloft’s customers, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable. It is believed that the full extent of impacted organizations remains unknown.
Attribution and Extortion Attempts
Google’s Threat Intelligence Group disclosed the supply chain breach in late August, attributing it to a hacking group designated as UNC6395.
Prior reporting by cybersecurity news sources, DataBreaches.net and Bleeping Computer, suggests the perpetrators are likely ShinyHunters, a known prolific hacking group.
These actors are reportedly attempting to extort victims through private communication.
Data Exfiltration and Salesforce Access
By gaining access to Salesloft tokens, the attackers were able to access Salesforce instances. Within these instances, they stole sensitive data contained in support tickets.
Salesloft indicated that the attackers specifically targeted credentials, including AWS access keys, passwords, and Snowflake-related access tokens, on August 26.
Salesloft announced on Sunday that its integration with Salesforce has been fully restored.
Related Posts
FTC Upholds Ban on Stalkerware Founder Scott Zuckerman
Google Details Chrome Security for Agentic Features
Petco Data Breach: SSNs, Driver's Licenses Exposed
Petco Data Breach: Customer Data Exposed - What You Need to Know
Intellexa Spyware: Direct Access to Government Espionage Victims
