Article Details

How huge breach started: Drift attackers gained entry via a Salesloft GitHub account. Meanwhile the victim count grows. The Salesloft Drift breach that compromised "hundreds" of companies including Google, Palo Alto Networks, and Cloudflare, all started with miscreants gaining access to the Salesloft GitHub account in March. This new information comes from a Saturday update into the Mandiant-led investigation - Salesloft hired the incident response firm to determine the root cause and scope of the incident - and a Sunday alert that the integration between Salesloft and Salesforce has now been restored. We now know that crims got their initial access sometime in March. Between then and June, the attackers accessed the Salesloft GitHub account, downloaded content from "multiple" repositories, added a guest user, and established workflows. The postmortem doesn't say how the intruders gained access to the GitHub account. The Register has asked Salesloft about this and will update this story if we receive a response.  It also doesn't attribute the attack to a specific gang, although Google (which owns Mandiant) previously blamed UNC6395 for the Drift-related breaches. UNC is the tracker Google uses for uncategorized threat groups, as opposed to nation-state attackers (APT) and financially motivated crews (FIN). If you're confused by all the gang names, see our explainer here. Cloudflare last week pinned the attack on a threat group it tracks as GRUB1 that aligns with UNC6395. And it's suspected that ShinyHunters, which Google says has some overlap with UNC6395, also played some role in the intrusions. Regardless of what you call the digital data thieves, they snooped around the Drift and Salesloft environments between March and June. "The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment," the September 6 update said. And then they accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. And they used these stolen OAuth tokens to break into several companies' Salesforce instances - Cloudflare says "hundreds" were compromised - and steal customer data.  While we don't have a complete list, many companies have since confirmed that they were affected by the Drift hack including Google, Zscaler, Cloudflare, Palo Alto Networks, BeyondTrust, Bugcrowd, Cato Networks, CyberArk, Elastic, JFrog, Nutanix, PagerDuty, Rubrik, SpyCloud, and Tanium. As part of its response, Salesloft took the Drift application offline, rotated compromised Drift and Salesloft credentials, and isolated the Drift infrastructure and code. Mandiant has validated these activities, and also verified the technical segmentation between Salesloft and Drift applications and infrastructure. "Based on the Mandiant investigation, the findings support the incident has been contained," the companies said.