Salesloft Drift Hack Leads to Rash of Compromised OAuth Tokens; Cybersecurity Companies Victimized

If your organization makes use of Salesloft’s “Drift” customer relations tool, you may be at risk of compromise due to stolen OAuth tokens. While the company has already rotated keys for its managed clients, those managing their own Drift connections via API key should revoke existing keys immediately.

It remains unclear who the breach perpetrator is or how many organizations are impacted in total, with the incident window lasting from about August 8 to August 18. The exact total number of Drift clients is not made public, but thought to be at least 5,000 based on prior Salesloft marketing statements. Thus far about 700 of those are confirmed to have had OAuth tokens or some other access credential stolen in the attack, to include some of the biggest names in cybersecurity.

Unknown hackers target cybersecurity industry, may be setting up new breach site for ransoms

In terms of downstream compromise of Drift users, the impact seems to vary by organization. Google reports that a “very small” amount of Google Workspace OAuth tokens for individual users were stolen in the attack, but Google and Workspace itself have not been compromised in any way. Some other organizations, including leading cybersecurity names like Cloudflare and Palo Alto Networks, are reporting more direct breaches of their internal networks.

What is known about the threat actor is that they are rapidly combing compromised accounts for secrets and further credentials, and that a seemingly new hacking group claiming credit for the attack says that it will be posting ransom demands to a new breach site called “Breachstars” in the coming days. The group refers to itself with a jumble of names from other well-known hacking groups, seemingly interested more in confusing researchers than in establishing a brand as of yet.

While any implementation of Drift is thought to potentially be compromised at this point, most of the big names that have reported breaches thus far say that it happened via their Salesforce integration with the service. This includes Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, SpyCloud, Tanium, and Tenable. The attackers were able to view customer support tickets and pull text and access tokens from some of them using the stolen OAuth tokens, though not all of the breached parties are reporting loss of customer credentials at this time.

The targeting of Salesforce naturally calls to mind ShinyHunters, who (very likely in tandem with Scattered Spider) have been victimizing the same sorts of individual implementations for months now. But there is not yet any good evidence linking the prolific hackers to this particular attack. It would make little sense for them to obfuscate who perpetrated the breach and stole the OAuth tokens, as throwing their brand name around while shaking down victims is a key part of their ransom strategy.

The signs thus far point to some new unknown actor that figured out how to manipulate Drift’s AI features to reveal secrets in some novel way, somewhat akin to the recent breach of Lenovo’s website AI chat feature.

Exact manner of theft of OAuth tokens still being investigated

As of September 5, Drift is offline for an unspecified length of time as the attack is investigated and security is shored up. There has been some confusion since the breach was first publicly reported on August 25, as the initial blog post about it emphatically stated that only Salesforce integrations were at risk. Google Threat Intelligence has since revealed that this is not true and that all Drift clients are potentially at risk. Salesloft says that it has directly contacted all impacted customers at this point.

As to individual organizational risk, it depends very much on what is available in their customer support tickets. This could mean access keys and confidential internal network and client information, though some victims (such as Cloudflare) report that the attackers were not able to access attached files.