Google warns Salesloft attack may have compromised Workspace accounts and Salesforce instances

News
By published

The attack on Salesloft is bigger than initially thought

Protection from AI hacker attacks
(Image credit: Getty Images)
  • Salesloft suffered a third-party attack earlier this week
  • New information suggests all authentication tokens were compromised
  • Google disabled integrations and warned victims, in response

The Salesloft cyberattack that happened earlier this week may have also compromised certain Google Workspace accounts, as well as Salesforce instances. This is according to Google’s Threat Intelligence Group (GTIG), who published an updated report to warn about the worrying discovery.

On Wednesday, news broke that revenue platform Salesloft fell victim to a third-party cyberattack in which sensitive information was stolen. The company is using Drift, a conversational marketing and sales platform that uses live chat, chatbots, and AI, to engage visitors in real time.

Alongside it is SalesDrift, a third-party platform which links Drift’s AI chat functionality to Salesforce, syncing conversations, leads, and cases, into the CRM via the Salesloft ecosystem.

Salesloft under attack

Starting around August 8, and lasting for about ten days, adversaries managed to steal OAuth and refresh tokens from SalesDrift, pivoting to customer environments, and successfully exfiltrating sensitive data.

Now, Google’s update says the scope of the compromise impacted more than the Salesforce integration: “We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the update reads.

TGIG said that the attackers compromised OAuth tokens for the “Drift Email” integration, and used them to access a “very small number” of Google Workspace accounts. Apparently, only the accounts that were configured to integrate with Salesloft were compromised.

In response, Google revoked the tokens, disabled the integration functionality, and notified potentially impacted users. “We are notifying all impacted Google Workspace administrators. To be clear, there has been no compromise of Google Workspace or Alphabet itself.”

Google also recommended organizations immediately review all third-party integrations connected to their Drift instance, revoke and rotate all credentials, and monitor all connected systems for signs of unauthorized access.

The researchers believe the attack was done by a group tracked as UNC6395, although ShinyHunters claimed it was their doing.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.