Cloud security professionals have contended with escalating fears surrounding the safety of third-party software integrations as new cyber risks emerge. The latest incident, affecting hundreds of organizations, shows how attackers can bypass security by exploiting connections between widely used applications. Users of platforms like Salesforce and third-party tools such as Salesloft Drift may be rethinking their approach to access controls and token management in light of recent revelations. This event raises questions about how organizations handle digital trust between cloud applications and whether current best practices are sufficient amid the increasing popularity of AI-powered sales tools.
Earlier data breaches linked to OAuth token theft have involved fewer victims and slower detection times, often relying on individual organizations’ response capabilities rather than coordinated action between vendors. Unlike previous incidents that focused on piecemeal access, this campaign showed higher technical proficiency and automation, allowing threat actors to compromise hundreds of Salesforce customers rapidly through Salesloft Drift connections. This contrasts with other OAuth-related breaches, which have typically involved more contained exploitation.
How Did Hackers Infiltrate Salesforce Accounts So Effectively?
According to the Google Threat Intelligence Group (GTIG), the attack, which began on August 8 and lasted for 10 days, was orchestrated by a group identified as UNC6395. They used stolen OAuth tokens from Salesloft Drift, a chat agent integrated with Salesforce, to gather large volumes of customer data. Automation tools written in Python enabled them to target more than 700 organizations, processing data theft sequentially with minimal manual effort. The attackers’ main focus was harvesting high-value credentials, such as access keys for Amazon Web Services, Snowflake, and various VPNs.
What Measures Did the Companies Take After Discovery?
Once the breaches surfaced, Salesloft collaborated with Salesforce to quickly revoke all active and refresh tokens tied to the affected Salesloft Drift app. The company notified impacted users and isolated the integration responsible for the breach. Salesforce clarified that only customers using Salesloft Drift were affected, noting that its core platform was not compromised, but rather the app connection posed the risk. Google’s report states that the attack campaign ceased after access was cut on August 20.
What Are the Implications for OAuth Token Security?
This sequence of attacks underscores vulnerabilities in OAuth and third-party API integration across cloud environments. Google recommends that customers who used Salesloft Drift with Salesforce assume their data may have been accessed and take steps such as rotating credentials and investigating signs of data loss. Tyler McLellan, principal threat analyst at GTIG, stated,
“Using a single token stolen from Salesloft, the threat actor was able to access tokens for any Drift linked organization. The threat actor then used the Salesforce tokens to directly access that data and exfiltrate it to servers, where they looked for plaintext credentials including Amazon, Snowflake and other passwords,”
Salesloft confirmed collaboration with Salesforce in mitigating the situation and issued public statements encouraging vigilance and reviewing integrations. At present, Mandiant Consulting reports no signs that the attackers misused the stolen credentials beyond the immediate campaign. Austin Larsen, principal threat analyst at GTIG, commented,
“GTIG is aware of over 700 potentially impacted organizations. The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”
Stringent management and periodic review of access rights can help organizations reduce exposure to similar attacks. It is essential to audit all third-party app connections and follow standardized processes for credential rotation when an incident occurs. Token-based authentication, while enhancing convenience, introduces risks if tokens are not viewed as sensitive assets requiring strong protection. Companies using cloud-to-cloud integrations should maintain an inventory of app authorizations and prepare quick-response remediation steps should unauthorized access be detected. This multi-organization breach highlights the necessity for shared vigilance in the SaaS ecosystem, demonstrating that supply chain and integration security can have broad effects beyond individual firms. Regular security assessments and updated protocols for third-party integrations are key to reducing risks posed by increasingly sophisticated attack campaigns.
