Major Data Theft Campaign Targeting Salesloft Customers via Salesforce OAuth Tokens

A cybercriminal group identified as UNC6395 has successfully obtained OAuth tokens for Salesloft Drift, enabling unauthorized access to Salesforce instances. This breach has resulted in the exfiltration of sensitive data, including AWS keys, passwords, and Snowflake access tokens. Salesloft, a sales engagement platform, integrates with Salesforce, a widely used CRM, and has over 5000 customers, including major companies like Citrix, Shopify, 3M, IBM, and Stripe. The primary risk is for companies using Salesloft, which should monitor their Salesforce instances for any unusual activity related to their Drift connection. The compromise of OAuth tokens is particularly concerning as it allows attackers to bypass traditional authentication mechanisms. This incident underscores the importance of securing third-party integrations and implementing robust security measures such as multi-factor authentication (MFA) and regular token rotation. Organizations should conduct regular security audits, enforce strict access controls, and monitor for unusual activity to mitigate the risk of such attacks. The broader impact on the cybersecurity landscape highlights the need for continuous monitoring and anomaly detection in cloud environments to prevent and respond to such breaches effectively.