Salesloft Links Drift Data Theft to March GitHub Hack
▼ Summary
– Salesloft’s GitHub account was breached in March, allowing hackers to steal authentication tokens used to target its tech customers.
– The hackers conducted reconnaissance from March to June, downloading content from repositories and adding unauthorized users.
– The breach led to the theft of OAuth tokens from Drift’s AWS environment, compromising customers like Google and Cloudflare.
– Salesloft took six months to detect the intrusion, raising concerns about its security posture, though the incident is now contained.
– The hacking group UNC6395, also known as ShinyHunters, is believed responsible and focused on stealing credentials like AWS keys and passwords.
A significant data breach at Salesloft has been traced back to a March intrusion into the company’s GitHub account, which enabled attackers to steal authentication tokens and subsequently target several major technology clients. According to an investigation by Google’s Mandiant incident response team, the threat actors maintained access to Salesloft’s GitHub for several months, conducting reconnaissance and extracting content from multiple repositories. This extended access period has raised serious concerns about the company’s security monitoring and response capabilities.
The attackers leveraged their unauthorized access to infiltrate the Amazon Web Services environment supporting Salesloft’s AI-powered marketing platform, Drift. There, they exfiltrated OAuth tokens belonging to Drift’s customers. These tokens, which facilitate secure connections between applications, were then exploited to breach organizations including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable. Many additional affected companies may still be unidentified.
Google’s Threat Intelligence Group publicly attributed the supply chain attack in late August to a group it identifies as UNC6390. Independent cybersecurity outlets have suggested the involvement of ShinyHunters, a well-known hacking collective with a history of data theft and extortion. The group is believed to have contacted victims privately in an attempt to monetize the stolen information.
Salesloft confirmed that the attackers primarily sought credentials, including AWS access keys, passwords, and Snowflake-related tokens. By using the compromised OAuth tokens, the threat actors gained entry into Salesforce instances, where they harvested sensitive data from support tickets. The company has stated that the incident is now contained and that its integration with Salesforce has been fully restored. However, the nearly six-month gap between initial compromise and detection remains a focal point for critics evaluating the response.
(Source: TechCrunch)
