Salesloft has disclosed that a breach of its GitHub account in March allowed hackers to steal authentication tokens. These tokens were later used in a large-scale hack targeting several of its major technology customers.
According to an investigation by Google’s Mandiant incident response unit, the unnamed hackers accessed Salesloft’s GitHub account. They performed reconnaissance activities from March until June, which enabled them to download content from multiple repositories, add a guest user, and establish workflows. This timeline raises serious questions about the company’s security posture, including why it took Salesloft approximately six months to detect the intrusion. The company has stated that the incident is now contained.
After breaching the GitHub account, the hackers accessed the Amazon Web Services cloud environment of Drift, Salesloft’s AI and chatbot-powered marketing platform. This access allowed them to steal OAuth tokens for Drift’s customers. OAuth is a standard that allows users to authorize one app or service to connect to another, enabling Drift to integrate with platforms like Salesforce.
By stealing these tokens, the threat actors breached several Salesloft customers. Affected companies include Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among many others that are likely still unknown. Google’s Threat Intelligence Group revealed this supply chain breach in late August, attributing it to a hacking group it calls UNC6395.
Cybersecurity publications have previously reported that the prolific hacking group known as ShinyHunters is behind the breach. The hackers are believed to be attempting to extort victims by contacting them privately.
Using the stolen Salesloft tokens, the hackers accessed Salesforce instances to steal sensitive data from support tickets. Salesloft stated that the actor’s primary objective was to steal credentials, focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.
Salesloft has announced that its integration with Salesforce has now been restored.