Victims of the Salesloft breach that occurred last month are beginning to notify customers after attackers exploited the company’s Drift AI chat integration to siphon sensitive data from Salesforce and other platforms. Among the 700+ affected organizations are major cybersecurity companies including Cloudflare, Zscaler, Palo Alto Networks, Tenable (reportedly), SpyCloud, and Tanium, as well as SaaS and cloud firms such as PagerDuty, Exclaimer, and Cloudinary.
The breach stems from compromised OAuth credentials used in the Drift-Salesforce integration, which attackers leveraged between August 8 and August 18, according to a statement from Salesloft released on August 26. The Drift application, widely used for sales engagement and AI-based customer interactions, integrates with various third-party tools including Salesforce and Google Workspace.
Following the initial disclosure, Google’s Threat Intelligence Group (GTIG) confirmed the breach was much wider than initially thought. On August 28, GTIG revealed that threat actors had also exploited the Drift Email integration to access Google Workspace accounts, exfiltrating email data and seeking cloud infrastructure secrets.
Security firm Astrix Security, also impacted, reported that attackers used Drift Email to compromise its Google Workspace instance. Attempts to access AWS S3 buckets were observed, suggesting attackers may have harvested names and credentials from Salesforce before expanding their intrusion.
While customer contact and personal data were exposed in some cases, GTIG reports that the primary objective of the attackers was to obtain AWS access keys, passwords, and Snowflake tokens.
Following the breach, Salesloft announced that it plans to take Drift temporarily offline “in the very near future” to conduct further investigations and security improvements.
Unrelated to the topic, but worth noting that Claudflare said it has blocked a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.