Salesloft Says Drift Customer Data Thefts Linked To March Github Account Hack

Salesloft said a breach of its GitHub relationship successful March allowed hackers to bargain authentication tokens that were later utilized successful a mass-hack targeting respective of its large tech customers. 

Citing an investigation by Google’s incident consequence portion Mandiant, Salesloft said connected its information breach page that nan as-yet-unnamed hackers accessed Salesloft’s GitHub relationship and performed reconnaissance activities from March until June, which allowed them to download “content from aggregate repositories, adhd a impermanent personification and found workflows.” 

The timeline raises caller questions astir nan company’s information posture, including why it took Salesloft immoderate six months to observe nan intrusion.

Salesloft said that nan incident is now “contained.”

After nan hackers collapsed into its GitHub account, nan institution said nan hackers accessed nan Amazon Web Services unreality situation of Salesloft’s AI and chatbot-powered trading level Drift, which allowed them to bargain OAuth tokens for Drift’s customers. OAuth is simply a modular that allows users to authorize 1 app aliases work to link to another. By relying connected OAuth, Drift tin merge pinch platforms for illustration Salesforce and others to interact pinch website visitors. 

In stealing these tokens, nan threat actors breached respective Salesloft’s customers, specified arsenic Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among others, galore of which are apt still unknown. 

Google’s Threat Intelligence Group revealed nan proviso concatenation breach precocious successful August, attributing it to a hacking group it calls UNC6395. 

Cybersecurity publications DataBreaches.net and Bleeping Computer antecedently reported that nan hackers down nan breach are nan prolific hacking group known arsenic ShinyHunters. The hackers are believed to beryllium trying to extort victims by contacting them privately.

By accessing Salesloft tokens, nan hackers past entree Salesforce instances, wherever they stole delicate information contained successful support tickets. “The actor’s superior nonsubjective was to bargain credentials, specifically focusing connected delicate accusation for illustration AWS entree keys, passwords, and Snowflake-related entree tokens,” Salesloft said connected August 26.

Salesloft said connected Sunday that its integration pinch Salesforce is now restored.