Cybersecurity firms Cloudflare, Palo Alto Networks, and Zscaler on Tuesday confirmed that their Salesforce instances were hacked as part of the Salesforce-Salesloft Drift data theft campaign disclosed last week.
Between August 8 and August 18, hackers used compromised OAuth tokens for the third-party AI chat bot Salesloft Drift to export large volumes of data from the Salesforce instances of hundreds of organizations.
Attributed to a threat actor tracked as UNC6395 by Google and GRUB1 by Cloudflare, the campaign was aimed at extracting credentials and other sensitive information, including AWS access keys, passwords, and Snowflake-related access tokens.
The campaign was disclosed on August 26 and resulted in Salesforce disabling all integrations with Salesloft, which is taking Drift offline to review it and enhance its resilience.
While initial reports suggested that only organizations that used the Drift-Salesforce integration were impacted, Google’s Threat Intelligence Group (GTIG) on August 28 revealed that Google Workspace customers were affected as well.
On Tuesday, Cloudflare, Palo Alto Networks, and Zscaler confirmed that they were among the hundreds of organizations that had their Salesforce instances hacked as part of this campaign.
“Palo Alto Networks confirms that it was one of hundreds of customers impacted by the widespread supply chain attack targeting the Salesloft Drift application that exposed Salesforce data. We quickly contained the incident and disabled the application from our Salesforce environment,” the company told SecurityWeek.
“The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data. We are in the process of directly notifying any impacted customers,” the company said.
In a detailed report on the attack, Cloudflare said the hackers exfiltrated customer contact information and basic support case data, which could expose customer configuration and sensitive information such as logs, tokens, and passwords.
“As part of our response to this incident, we did our own search through the compromised data to look for tokens or passwords and found 104 Cloudflare API tokens. We have identified no suspicious activity associated with those tokens, but all of these have been rotated in an abundance of caution,” Cloudflare said.
Its investigation into the attack revealed that the hackers used Salesloft integration credentials to access its Salesforce instance, ran queries for several days for reconnaissance, and launched a Salesforce Bulk API 2.0 job on August 17, to exfiltrate a database in roughly three minutes.
Zscaler said the customer information stolen from its Salesforce instance includes names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases.
“We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks. Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations,” Cloudflare said.
Related: Workday Data Breach Bears Signs of Widespread Salesforce Hack
Related: Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack
Related: Docker Desktop Vulnerability Leads to Host Compromise
