An attack against Salesforce between August 8 and August 18 targeting data through its Salesloft Drift app “is more extensive than at first thought.” The attack targeted numerous Salesforce customers “systematically exfiltrating large volumes of data.”

Google affirmed that threat actors not only targeted the Salesforce integration with Salesloft Drift, but also targeted some Google Workspace accounts. After discovering the targeting, Google stated, “We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” Google further recommended that “organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.” 

In addition, ZScaler recently revealed that OAuth tokens to its Salesloft Drift application were stolen, “enabling them to access its Salesforce instance.” The information accessed included business contact data and “Salesforce related content.” ZScaler revoked access and rotated API access tokens out of an abundance of caution. ZScaler is recommending that “customers maintain heightened vigilance. Please be wary of potential phishing attacks or social engineering attempts, which could leverage exposed contact details.”

Salesforce customers may wish to review Unit 42’s Threat Brief on the attack, which includes recommendations.