Salesforce Data Heist: When Tokens Go Rogue and Humans Stay Clueless!
Salesforce customers beware! A “widespread data theft campaign” has struck again, this time through compromised OAuth tokens with Salesloft Drift. Experts suspect a state actor is behind UNC6395’s methodical data heist. So, if you’re using Drift, it’s time to revoke those tokens and rethink your API keys.
Hot Take:
Salesforce customers might want to invest in some serious cybersecurity muscle because it seems their data is being treated like free samples at a supermarket on a Saturday morning. UNC6395, the latest in a line of shadowy cyber villains, has decided to indulge in a full buffet of Salesforce data through the compromised Salesloft Drift app. Consider this a wake-up call: if your Salesforce data were a sitcom, it’d be “Friends,” because everyone’s getting a piece of it!
Key Points:
- Salesforce customers have been targeted via compromised OAuth tokens linked to Salesloft Drift.
- Google’s Threat Intelligence Group identified the perpetrator as UNC6395, who exfiltrated data from numerous Salesforce instances.
- The primary goal was to harvest credentials for further compromise, including AWS access keys and Snowflake tokens.
- Salesloft has revoked all access tokens and is investigating the incident, while Salesforce has temporarily removed the Drift app.
- Experts speculate the attack could be state-sponsored due to its scale and sophistication.