A recent data theft campaign targeted Salesforce customers via the Salesloft Drift integration, exploiting compromised OAuth tokens to access sensitive data. Google Workspace accounts specifically linked to Salesloft Drift were also impacted, prompting immediate token revocation and security reviews. #Salesforce #GoogleWorkspace
Keypoints
- The campaign utilized compromised OAuth tokens to extract large volumes of data from Salesforce instances.
- The threat actor, UNC6395, targeted cloud credentials such as AWS keys and Snowflake tokens.
- Google identified and revoked OAuth tokens for the affected Drift Email and Google Workspace accounts.
- Organizations are advised to review, rotate, and secure their third-party application credentials.
- Salesloft and partners are working with cybersecurity firms to investigate and restore affected integrations.