Salesforce Users Targeted in New Salesloft Data Theft Campaign

A new data theft campaign has targeted Salesforce users through compromised OAuth tokens linked to the Salesloft Drift application, raising alarms across the sales and marketing technology landscape. This incident highlights the persistent risks associated with third-party integrations and the critical need for robust identity and access management protocols.

Salesloft Drift, a widely used tool that integrates with Salesforce to enhance team collaboration, became the center of a security alert issued on August 20. The company reported detecting a security issue and took immediate action by revoking all connections between Drift and Salesforce. However, further details remained scarce until Google’s Threat Intelligence Group (GTIG) disclosed its findings on August 26.

According to GTIG, a threat actor known as UNC6395 systematically targeted multiple Salesforce customer instances between August 8 and August 18, exfiltrating substantial volumes of data. Some industry experts estimate that hundreds of organizations may have been affected by this campaign. The primary objective appeared to be credential harvesting, with the attackers sifting through stolen data to locate sensitive information such as AWS access keys, passwords, and Snowflake-related tokens.

Google emphasized that although the actor demonstrated operational security by deleting query jobs, relevant logs remained intact. The company urged all Salesforce customers using Drift to assume their data may have been exposed and to take prompt remediation steps. Recommendations include searching for sensitive information within Salesforce objects, revoking API keys, rotating credentials, and conducting thorough investigations to determine potential misuse.

In response, Salesloft has revoked all active access and refresh tokens for the Drift application, requiring administrators to reauthenticate their Salesforce connections. The company has also engaged an incident response specialist to lead the investigation. Meanwhile, Salesforce has temporarily removed the Drift app from its AppExchange marketplace pending the outcome of the ongoing probe.

This incident coincides with a separate wave of attacks targeting Salesforce environments through vishing campaigns. Recent reports indicate that Farmers Insurance may be among the latest victims of the ShinyHunters extortion group, further underscoring the vulnerability of cloud-based CRM platforms.

Security experts have raised concerns about the possibility of state-sponsored involvement in the Salesloft attacks. Cory Michal, CSO of AppOmni, pointed to the campaign’s scale and discipline as indicative of advanced threat actors. He noted that the attackers executed structured queries across hundreds of targeted environments, deliberately searching for credentials and attempting to conceal their activities.

Jonathan Sander, Field CTO at Astrix Security, highlighted the challenges posed by non-human identities (NHIs) in such attacks. He explained that threat actors often exploit these overlooked assets to operate undetected, using stolen tokens to compromise additional systems in a repeated cycle. Unfortunately, many organizations lack even a basic inventory of their NHIs, leaving them exposed to sophisticated intrusion methods.

The convergence of these incidents serves as a stark reminder of the evolving tactics used by cybercriminals and the importance of continuous monitoring, identity governance, and proactive security measures in safeguarding digital ecosystems.

(Source: InfoSecurity)