Salesloft says Drift customer data thefts linked to March GitHub account hack

Salesloft has reported a serious security incident linked to a breach of its GitHub account that occurred earlier this year in March. This breach enabled hackers to acquire authentication tokens, which were subsequently used in a widespread attack affecting numerous major tech clients. According to an investigation conducted by Mandiant, the incident response team at Google, the hackers accessed Salesloft's GitHub account and conducted reconnaissance activities that spanned from March to June. During this period, they were able to download information from various repositories, add unauthorized guest users, and manipulate workflows. This timeline raises significant concerns regarding Salesloft's security measures, particularly questioning why it took the company nearly six months to identify the breach. Despite the prolonged exposure, Salesloft has stated that the situation is now “contained.” Following the breach, hackers gained access to the Amazon Web Services cloud environment of Drift, Salesloft’s AI and chatbot-driven marketing platform, allowing them to steal OAuth tokens belonging to Drift's customers. OAuth is a protocol that permits users to authorize applications to communicate with each other. By exploiting these tokens, the attackers were able to breach the accounts of several prominent Salesloft clients, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among others. The full extent of affected customers remains unclear. Google’s Threat Intelligence Group disclosed this supply chain breach in late August, linking it to a hacking collective identified as UNC6395. Cybersecurity outlets like DataBreaches.net and Bleeping Computer have reported that the perpetrators are believed to be ShinyHunters, a notorious hacking group that has previously targeted various organizations. These hackers are thought to be attempting to extort their victims by making direct contact. By utilizing the stolen Salesloft tokens, they accessed Salesforce accounts, where they extracted sensitive information from support tickets. According to Salesloft, the main goal of the attackers was to obtain credentials, particularly targeting sensitive data, including AWS access keys, passwords, and Snowflake access tokens. As of Sunday, Salesloft has confirmed that its integration with Salesforce has been successfully restored.