Hackers Hijack Salesloft: OAuth Token Theft Sparks Major Data Breach!
Hackers have breached Salesloft, stealing OAuth and refresh tokens linked to the Drift AI chat agent. The threat actor, UNC6395, targeted Salesforce customer instances, exporting large volumes of data. This isn’t a one-off compromise; it’s a precise, calculated effort, potentially setting the stage for a broader supply chain attack.
Hot Take:
Looks like the hackers have finally gotten tired of stealing identities and are now going after the real prize: sales automation platforms! Their latest caper involves swiping OAuth and refresh tokens from Salesloft to lift data from Salesforce instances like it’s a new Olympic sport. But don’t worry, Salesloft and Salesforce are on it like a cat on a laser pointer, and they’re pulling out all the stops to make sure your data isn’t the next victim of these digital cat burglars. Just remember to rotate those credentials faster than a DJ at a rave!
Key Points:
– Hackers breached Salesloft using compromised OAuth and refresh tokens linked to Drift AI chat agent.
– Targeted Salesforce instances to exfiltrate data, including AWS access keys and passwords.
– UNC6395 threat actor showed operational security savvy by deleting query jobs.
– Salesloft issued a security advisory and has revoked Drift-Salesforce connections.
– Salesforce identified a “small number of customers” affected and removed Drift from AppExchange.