Salesloft said a breach of its GitHub account in March allowed hackers to steal authentication tokens that were later used in a mass-hack targeting several of its big tech customers.
Citing an investigation by Google’s incident response unit Mandiant, Salesloft said on its data breach page that the as-yet-unnamed hackers accessed Salesloft’s GitHub account and performed reconnaissance activities from March until June, which allowed them to download “content from multiple repositories, add a guest user and establish workflows.”
The timeline raises fresh questions about the company’s security posture, including why it took Salesloft some six months to detect the intrusion.
Salesloft said that the incident is now “contained.”
Do you have more information about these data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
After the hackers broke into its GitHub account, the company said the hackers accessed the Amazon Web Services cloud environment of Salesloft’s AI and chatbot-powered marketing platform Drift, which allowed them to steal OAuth tokens for Drift’s customers. OAuth is a standard that allows users to authorize one app or service to connect to another. By relying on OAuth, Drift can integrate with platforms like Salesforce and others to interact with website visitors.
In stealing these tokens, the threat actors breached several Salesloft’s customers, such as Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among others, many of which are likely still unknown.
Google’s Threat Intelligence Group revealed the supply chain breach late in August, attributing it to a hacking group it calls UNC6395.
Cybersecurity publications DataBreaches.net and Bleeping Computer previously reported that the hackers behind the breach are the prolific hacking group known as ShinyHunters. The hackers are believed to be trying to extort victims by contacting them privately.
By accessing Salesloft tokens, the hackers then access Salesforce instances, where they stole sensitive data contained in support tickets. “The actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens,” Salesloft said on August 26.
Salesloft said on Sunday that its integration with Salesforce is now restored.
