Top Highlights
- The Salesloft Drift supply chain attack exposed over 700 companies to data theft, involving unauthorized access to OAuth tokens used across multiple platforms, with the attack occurring over 10 days in August.
- Okta successfully thwarted the attack through proactive IP restrictions and security measures, while Zscaler suffered data exposure due to delayed token decommissioning despite shutting off Drift usage earlier.
- Both companies remain uncertain on how threat actors accessed their OAuth tokens, highlighting vulnerabilities in token storage and the need for advanced security measures like Demonstrating Proof of Possession (DPoP).
- Experts emphasize the importance of stronger API controls, frequent token rotation, and collective industry efforts to enhance defenses against the growing attack surface posed by API-based vulnerabilities.
Key Challenge
Last month, a major supply chain cyberattack targeted over 700 customers of Drift, a platform used for AI chat services in sales operations, with attackers gaining unauthorized access to sensitive customer data. The attack was traced back to a threat group, UNC6395, which had compromised Salesloft’s GitHub account as early as March, eventually moving laterally within the infrastructure to access Drift’s AWS environment and steal OAuth tokens. These tokens permitted access to data across multiple integrated platforms, resulting in a widespread data theft during a ten-day window. While Okta, another large security firm using Drift, actively detected and blocked the breach by restricting IP address ranges for API calls, Zscaler was less fortunate, suffering data exposure after its OAuth token remained active despite the company retiring it weeks earlier; this led to the exposure of customer details and company information. Both companies agreed that vulnerabilities in how API tokens are stored and used—particularly the lack of advanced security mechanisms like Demonstrating Proof of Possession (DPoP)—highlight the urgent need for better collective defenses and stricter control over API security in today’s increasingly interconnected SaaS environment.
Critical Concerns
Cyber risks in supply chain attacks, exemplified by the recent Salesloft Drift incident affecting over 700 clients, highlight the critical vulnerabilities posed by API tokens and third-party integrations. Attackers, exploiting breaches like compromised GitHub accounts and AWS environments, can acquire OAuth tokens that enable widespread data theft, undermining customer privacy and corporate security. The differing responses of Okta and Zscaler underscore the importance of proactive measures such as IP restrictions, frequent token rotation, and advanced authentication mechanisms like Demonstrating Proof of Possession (DPoP). These incidents reveal that the security of SaaS applications hinges on layered defenses, collective vigilance, and vendors prioritizing robust security features—lessons essential for minimizing future risks and mitigating the true costs of supply chain cyber threats.
Possible Actions
Timely remediation is crucial for security leaders at Okta and Zscaler to effectively counteract escalating cyber threats, particularly those exemplified by Salesloft Drift attacks. Addressing vulnerabilities swiftly can prevent significant breaches, protect sensitive data, and maintain organizational trust, highlighting the importance of rapid response.
Detection & Monitoring
- Implement continuous monitoring systems
- Use AI-based anomaly detection
Incident Response
- Develop and rehearse security protocols
- Isolate affected systems immediately
Patch & Update
- Regularly update software and firmware
- Apply security patches promptly
User Awareness
- Conduct security awareness training
- Enforce strong, unique passwords
Access Control
- Enforce multi-factor authentication
- Limit user permissions based on roles
Threat Intelligence
- Subscribe to threat feeds
- Share insights within industry networks
Revise Policies
- Review and update security policies
- Implement strict access controls and audits
Stay Ahead in Cybersecurity
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
