Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed that information in their Salesforce instances was compromised as part of the recent Salesforce–Salesloft Drift attack.
The campaign was publicly disclosed on August 26, when Google’s threat intelligence team reported that a threat actor tracked as UNC6395 exported large volumes of data using compromised OAuth tokens for the third-party AI chatbot Salesloft Drift.
The attackers, Google said, exploited the Salesforce-Salesloft Drift integration to steal data pertaining to hundreds of organizations, targeting sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens.
Initially believed to only impact organizations that used the Drift integration, the campaign was later found to have affected other Salesforce customers as well.
On August 28, Google revealed that Workspace customers were affected, and security firms Cloudflare, Palo Alto Networks, and Zscaler disclosed impact as well shortly after.
Overall, the attack is estimated to have hit over 700 organizations, and Proofpoint, SpyCloud, Tanium, and Tenable have confirmed being affected.
Proofpoint revealed that the attackers accessed its Salesforce tenant through the compromised Drift integration, and that they viewed certain information stored in it.
“At this time, there is no evidence that this supply chain incident affected Proofpoint’s software, services, security products, customer-protected data, or internal corporate network,” the company said.
SpyCloud, which was previously a Salesloft Drift customer, announced that standard customer relationship management fields were compromised in the attack.
“Consumer data is not believed to have been accessed. We notified our customers last week that data relating to their relationship with SpyCloud was exposed through this Salesloft Drift incident,” SpyCloud said.
Tanium confirmed that the attackers exploited the Salesloft Drift integration to access data in its Salesforce instance, and that information such as names, email addresses, phone numbers, and region/location references was compromised.
“We can confirm definitively that unauthorized access was limited to our Salesforce data and no access to the Tanium platform or any other internal systems or resources took place,” Tanium noted.
Tenable revealed that support case information, including subject lines, initial descriptions, and business contact details, such as names, phone numbers, business email addresses, and regional/location references, was compromised in the attack.
The company also noted that it had no evidence that the stolen information had been misused, adding that it took all the necessary steps to address the issue, including rotating credentials, removing the application, securing its systems, and monitoring the Salesforce instance.
Related: Impostor Uses AI to Impersonate Rubio and Contact Foreign and US Officials
Related: How to Implement Impactful Security Benchmarks for Software Development Teams
Related: The AI Convention: Lofty Goals, Legal Loopholes, and National Security Caveats
Related: Achieving “Frictionless Defense” in the Age of Hybrid Networks
