Salesloft Disables Drift Service Following OAuth Token Theft Affecting Hundreds of Organizations

ByAdmin

Salesloft announced on Tuesday that it will temporarily take Drift offline in the near future due to a significant supply chain attack affecting multiple companies. This attack has resulted in the mass theft of authentication tokens associated with the marketing software-as-a-service product. The company stated that this decision aims to provide the fastest path to comprehensively review the application and enhance its security and resilience before restoring full functionality. Consequently, the Drift chatbot on customer websites will be unavailable, and access to Drift will be suspended. Salesloft emphasised that its top priority is to ensure the integrity and security of its systems and customer data, collaborating with cybersecurity partners Mandiant and Coalition as part of its incident response efforts.

The announcement follows revelations from the Google Threat Intelligence Group (GTIG) and Mandiant regarding a widespread data theft campaign that exploited stolen OAuth and refresh tokens linked to the Drift AI chat agent, breaching customers’ Salesforce instances. This activity, attributed to a threat cluster known as UNC6395 (also referred to as GRUB1), has potentially impacted over 700 organisations. Initially believed to be limited to Salesloft’s integration with Salesforce, it has since been determined that any platform integrated with Drift may also be compromised. Salesforce has responded by temporarily disabling all Salesloft integrations as a precaution. Affected businesses include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, SpyCloud, Tanium, and Zscaler. Cloudflare indicated that this incident appears to be part of a broader strategy by the threat actor to harvest credentials and customer information for future attacks. 

Categories: Cybersecurity Incident, Supply Chain Attack, Data Breach 

Tags: Salesloft, Drift, Supply Chain Attack, Authentication Tokens, Cybersecurity, Incident Response, Salesforce, Data Theft, Threat Actor, Integration 

Leave a Reply

Your email address will not be published. Required fields are marked *