Google says a recent spate of Salesforce-related breaches was caused by attackers stealing OAuth tokens from the third-party Salesloft Drift app.

Drift is used for automating sales processes, and it integrates with Salesforce databases, pulling relevant information such as leads and contact details into the platform to help coordinate pitches.

Crucially, the campaign is being treated separately from the attacks on high-profile organizations – including Google itself – that also involved Salesforce data thefts.

Attacks on the likes of Allianz Life, Workday, Qantas, LVMH brands, and more have been widely reported over the summer, but aren’t thought to be linked to the Salesloft compromise.

Instead, these incidents have widely been attributed to and claimed by the ShinyHunters group (UNC6240). Google says there isn’t enough evidence to suggest the same attackers are behind the Salesloft incidents.

While Salesforce customers have been targeted since May, it’s believed these were more a blend of social engineering and stolen credentials, whereas the Salesloft attacks saw attackers steal Drift OAuth tokens to access Salesforce databases.

Neither of the advisories from Salesloft or Google Threat Intelligence Group (GTIG) this week detailed exactly how the attacks transpired, or how the tokens were stolen, but we know they all took place between August 8 and 18.

Salesloft said: “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.”

GTIG’s advisory noted that once the attackers, tracked as UNC6395, gained access using stolen OAuth tokens, they ran queries for data associated with Salesforce objects such as cases, accounts, users, and opportunities.

The two companies worked together and have since revoked all active access and refresh tokens, meaning IT admins must re-authenticate their connections between the third-party sales app and Salesforce.

Salesforce also removed the Drift app from AppExchange until the investigation into the attacks concludes, pending Salesloft’s assurance that the platform is secure.

The pair released an extensive list of indicators of compromise (IOCs) for admins to examine, although the only Drift customers who need to investigate signs of malicious activity are those whose platforms integrated with Salesforce. All others are deemed safe.

However, although there is nothing to suggest that GCP is compromised as part of the attacks, all Drift customers are advised to review their Salesforce objects for any Google Cloud Platform service account keys. 

GTIG and Salesloft added that all potentially affected customers were notified directly.

“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps,” GTIG said in its advisory.

“Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.”

The Register approached Salesforce for comment and we’ll update this article if we receive a response. ®