Close Menu
Cybercrime and Ransomware

Security Firms Struck by Salesforce–Salesloft Drift Breach

Staff WriterBy No Comments4 Mins Read0 Views

Quick Takeaways

  1. Cybersecurity firms Cloudflare, Palo Alto Networks, and Zscaler confirmed their Salesforce instances were compromised in a widespread attack exploiting the Salesforce-Salesloft Drift integration, leading to data exfiltration of sensitive customer information.

  2. The attack, linked to threat actors UNC6395/GRUB1, involved the use of stolen OAuth tokens to access Salesforce data, with hackers running reconnaissance queries and exfiltrating data via Salesforce’s Bulk API on August 17.

  3. Exfiltrated data included contacts, account information, support case content, and internal credentials like API tokens, which have been rotated, though some internal tokens like Cloudflare’s were found and secured.

  4. The incident prompted Salesforce to disable all Salesloft integrations, with affected organizations warned of potential targeted attacks, highlighting the significant risk posed by supply chain vulnerabilities in third-party SaaS tools.

Key Challenge

Recently, major cybersecurity firms such as Cloudflare, Palo Alto Networks, and Zscaler confirmed that their Salesforce platforms were compromised in a widespread data theft campaign linked to the malicious use of the third-party AI chatbot, Salesloft Drift. Between August 8 and August 18, hackers, identified by Google as UNC6395 and by Cloudflare as GRUB1, exploited compromised OAuth tokens associated with Drift to extract vast amounts of sensitive data from Salesforce accounts belonging to hundreds of organizations. This data theft included customer contacts, internal sales information, credentials, and access tokens for services like AWS and Snowflake. The intrusion involved the hackers running queries for days, culminating in a rapid exfiltration of data through Salesforce’s Bulk API, raising significant concerns about the security of third-party integrations. As a response, Salesforce disabled all Salesloft integrations, and impacted companies, including Cloudflare, promptly contained and reviewed their affected systems. The theft appears to be part of a coordinated effort by the threat actor to harvest credentials and information for future targeted attacks.

Critical Concerns

Cybersecurity firms Cloudflare, Palo Alto Networks, and Zscaler confirmed that their Salesforce accounts were compromised in a widespread hacking campaign linked to the Salesloft Drift AI chatbot, orchestrated by threat actor UNC6395/GRUB1. Between August 8 and 18, hackers exploited stolen OAuth tokens to extract vast amounts of sensitive data from hundreds of organizations’ Salesforce instances, including credentials, AWS access keys, passwords, and customer information—such as contact details, support case data, and internal logs. The attack involved reconnaissance queries and rapid data exfiltration, indicating a strategic effort to harvest information for future targeted assaults. As a result, Salesforce disabled affected integrations, and impacted companies are now reviewing their security measures. This incident underscores the vulnerability of third-party integrations in supply chain attacks, revealing how malicious actors can compromise multiple organizations simultaneously, risking significant data exposure, potential credential misuse, and heightened susceptibility to subsequent cyber threats.

Possible Remediation Steps

Addressing cybersecurity breaches promptly is vital for security firms because delayed response can lead to amplified damage, loss of client trust, and severe financial and reputational repercussions. Swift remediation ensures the containment of threats, limits data exposure, and helps restore secure operations efficiently.

Containment Measures
Immediately isolate affected systems and disconnect compromised accounts to prevent further malicious activity or data exfiltration.

Assessment Protocols
Conduct a thorough investigation to understand the breach’s scope, entry points, and compromised assets.

Password & Credential Reset
Force password changes across all relevant accounts, especially for Salesforce and Salesloft integrations, and implement multi-factor authentication.

Vulnerability Analysis
Identify and patch security gaps exploited during the breach, ensuring software and systems are up to date with latest security patches.

Communication Strategy
Notify affected clients and stakeholders transparently about the breach and ongoing remediation efforts, maintaining trust and compliance.

Enhanced Monitoring
Deploy advanced intrusion detection systems and continuous monitoring tools to identify any further suspicious activity quickly.

Training & Awareness
Educate staff on security best practices and how to recognize potential threats to prevent future breaches.

Review & Revise Policies
Update security policies and incident response plans based on lessons learned from the breach to strengthen defenses moving forward.

Continue Your Cyber Journey

Stay informed on the latest Threat Intelligence and Cyberattacks.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.