- Salesloft suffered a third-party attack earlier this week
- New information suggests all authentication tokens were compromised
- Google disabled integrations and warned victims, in response
The Salesloft cyberattack that happened earlier this week may have also compromised certain Google Workspace accounts, as well as Salesforce instances. This is according to Google’s Threat Intelligence Group (GTIG), who published an updated report to warn about the worrying discovery.
On Wednesday, news broke that revenue platform Salesloft fell victim to a third-party cyberattack in which sensitive information was stolen. The company is using Drift, a conversational marketing and sales platform that uses live chat, chatbots, and AI, to engage visitors in real time.
Alongside it is SalesDrift, a third-party platform which links Drift’s AI chat functionality to Salesforce, syncing conversations, leads, and cases, into the CRM via the Salesloft ecosystem.
Salesloft under attack
Starting around August 8, and lasting for about ten days, adversaries managed to steal OAuth and refresh tokens from SalesDrift, pivoting to customer environments, and successfully exfiltrating sensitive data.
Now, Google’s update says the scope of the compromise impacted more than the Salesforce integration: “We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the update reads.
TGIG said that the attackers compromised OAuth tokens for the “Drift Email” integration, and used them to access a “very small number” of Google Workspace accounts. Apparently, only the accounts that were configured to integrate with Salesloft were compromised.
In response, Google revoked the tokens, disabled the integration functionality, and notified potentially impacted users. “We are notifying all impacted Google Workspace administrators. To be clear, there has been no compromise of Google Workspace or Alphabet itself.”
Google also recommended organizations immediately review all third-party integrations connected to their Drift instance, revoke and rotate all credentials, and monitor all connected systems for signs of unauthorized access.
The researchers believe the attack was done by a group tracked as UNC6395, although ShinyHunters claimed it was their doing.
Via BleepingComputer