Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts.
In response, Google has revoked the tokens that were used in the breaches and disabled integration between the Salesloft Drift agent and all Workspace accounts as it investigates further. The company has also notified all affected account holders of the compromise.
Scope expanded
The discovery, reported Thursday in an advisory update, indicates that a Salesloft Drift breach it reported on Tuesday is broader than previously known. Prior to the update, members of the Google Threat Intelligence Group said the compromised tokens were limited to Salesloft Drift integrations with Salesforce. The compromise of the Workspace accounts prompted Google to change that assessment.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,” Thursday’s update stated. “We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
On Thursday, Salesloft’s security guidance page made no reference to the new information and instead continued to indicate that the breach affected only Drift integrations with Salesforce. Company representatives didn’t immediately respond to an email seeking confirmation of the Google finding.
Salesloft Drift is an AI-powered chat agent that allows websites to provide real-time, human-like interactions with potential customers. Salesloft acquired the Drift platform 18 months ago. To streamline the sales process, Drift can integrate into a variety of other services, including with Salesforce (no relation to Salesloft) and other customer relationship management platforms, Slack, Google Workspace, and others.
Google on Tuesday said that an attack group it tracks as UNC6395 had engaged in a mass data-theft campaign that used compromised Drift OAuth tokens to gain access to Salesforce instances. Once inside, the attackers accessed sensitive data stored in the Salesforce accounts and searched them for credentials that could be used to access accounts on services such as AWS and Snowflake. The theft spree began no later than August 8 and lasted through at least August 18. In response to the discovery, Salesforce disabled Drift integrations with its main cloud service as well as its Slack and Pardot platforms.
Google’s Thursday update means that the incident likely hasn’t been fully contained.
“We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access,” the update stated. It went on to say that Salesloft has now retained the Google-owned Mandiant incident response service to investigate the breach.
Thunderbolts is officially the best superhero movie of the year