Salesloft Says Drift Customer Data Theft Linked to March GitHub Account Hack
Salesloft has revealed that a breach of its GitHub account in March allowed hackers to steal authentication tokens that were later used in a mass-hack targeting several Big Tech customers. The company cited an investigation by Google's incident response unit Mandiant, which found that the hackers accessed Salesloft's GitHub account and performed reconnaissance activities from March until June, allowing them to download "content from multiple repositories, add a guest user and establish workflows."
The timeline raises fresh questions about the company's security posture, including why it took Salesloft six months to detect the intrusion. However, the company has said that the incident is now "contained" and that its integration with Salesforce is restored.
The Attack on Drift
After breaching its GitHub account, Salesloft said the hackers accessed the Amazon Web Services cloud environment of its AI and chatbot-powered marketing platform Drift. This allowed them to steal OAuth tokens for Drift's customers, which can be used to authorize one app or service to connect to another.
OAuth is a standard that enables Drift to integrate with platforms like Salesforce and others to interact with website visitors. By relying on OAuth, Drift can collect sensitive data from its customers, including support tickets.
The Scope of the Breach
According to Salesloft, the hackers breached several customers' accounts, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable. Many of these companies are likely still unknown victims of the breach.
Google's Threat Intelligence Group revealed the supply chain breach late in August and attributed it to a hacking group known as UNC6395.
The Hacker Group Behind the Breach
Cybersecurity publications DataBreaches.net and Bleeping Computer previously reported that the hackers behind the breach are the prolific hacking group known as ShinyHunters. The hackers are believed to be trying to extort victims by contacting them privately.
The Thieves' Motive
Salesloft said on August 26 that the hackers' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.
“The actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens,” Salesloft said. “Salesloft said that its integration with Salesforce is now restored.”
Contact Us
For more information about this data breach, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.