Salesloft Drift Breach Exposes Salesforce Data of Multiple Companies
Salesforce has alerted users of a serious security breach involving its Drift app. The incident, linked to a sophisticated data theft campaign, has exposed sensitive social security data of multiple customers, including Zscaler, Cloudflare, and Palo Alto. Unauthorized actors gained access to Salesforce Drift credentials, compromising both Salesforce and Google Workspace accounts.
The breach, attributed to threat actor UNC6395, saw large volumes of data systematically exported from numerous corporate Salesforce instances. Affected information includes business contact details, product licensing, and certain support case content. The attackers exploited stolen OAuth tokens to access Salesforce data and, via the Drift Email integration, some Google Workspace emails.
Google and Mandiant have confirmed the large-scale data theft campaign targeting Salesforce to steal OAuth tokens. Zscaler, one of the affected companies, has taken swift action by revoking Drift's Salesforce access, rotating API tokens, and implementing additional safeguards.
The Salesforce Drift OAuth breach has impacted multiple Salesforce customers, highlighting the importance of robust security measures and prompt response to such incidents. Affected parties are urged to review their data access and ensure the security of their credentials.
