Threat actors behind a spate of attacks on Salesloft Drift claim to have stolen over 1.5 billion records, according to reports.
Attacks on the third-party application have impacted dozens of organizations globally, with hackers using a combination of social engineering techniques and malicious OAuth tokens to access Salesforce instances and access data.
Responsibility for the attacks have been claimed by threat actors from the ShinyHunters, Lapsus$, and Scattered Spider groups, now referring to themselves as Scattered Lapsus$ Hunters.
A host of major tech firms, including Google, Palo Alto Networks, Zscaler, and Cloudflare have all confirmed incidents linked to the hacking campaign in recent weeks.
According to reports from BleepingComputer, the hackers behind these attacks say they’ve hit upwards of 750 companies so far, stealing billions of records.
Jamie Akhtar, CEO and Co-founder of CyberSmart, said the recent claims are a “stark reminder that attacks aren’t just about zero days and flashy malware”.
“The exploit of trust and integrations can be equally devastating,” he said. “By leveraging third-party apps (in this case, Drift) and abused OAuth tokens, attackers have sidestepped many traditional perimeter defences to siphon off data from “trusted” CRM platforms.”
How hackers hit Salesloft
As ITPro previously reported, hackers gained access to Salesloft’s GitHub repository months before waging the campaign. This contained critical source code belonging to the company, which enabled them to source OAuth tokens used to conduct attacks.
Hackers belonging to the ShinyHunters group told BleepingComputer they used the TruffleHog security tool to scan compromised source code as part of this process, which revealed tokens for the Salesloft Drift and Drift Email platforms.
Thereafter, the group was able to steal the aforementioned records, taking information from a series of object tables where customer information was stored.
One particular object table, the ‘Case’ table, hosted information and text pertaining to customer support tickets.
BleepingComputer said the group shared a text file listing these source code folders in the breached Salesloft GitHub repository.
Previous analysis of the threat campaign by Google’s Threat Intelligence Group (GTIG), published in late August, aligns with the claims made by ShinyHunters in this regard.
“The threat actor executed queries to retrieve information associated with Salesforce objects such as Cases, Accounts, Users, and Opportunities,” the tech giant said in a blog post.
“For example, the threat actor ran the following sequence of queries to get a unique count from each of the associated Salesforce objects.”
Protecting yourself from Salesforce attacks
The Salesloft attacks have been among the worst recorded in recent years, with a steady list of businesses being added to the victim list in recent weeks.
On 12 September, the FBI released a FLASH advisory urging organizations to shore up defences and remain vigilant amidst continued targeting by hackers.
The advisory detailed best practices and tips for organisations potentially at risk, including a comprehensive list of IP addresses linked to those behind the attacks.
Hackers involved in the campaign have been taking action to avoid scrutiny from law enforcement, however.
Last week, the Scattered Lapsus$ Hunters announced that it plans to shut down in a series of messages posted on its Telegram channel. The veracity of these claims have been questioned by cybersecurity experts, however.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The best malware removal tools 2025
- How to choose the best cyber security vendor for your business
- Best online cybersecurity courses
-
How to check if you’ve been affected by Salesforce attacks – and stop hackers dead in their tracksNews The FBI has issued a fresh advisory over the threat posed to Salesforce customers by two threat groups. Here's how you can stay safe and mitigate any risks.
-
Salesloft Drift hackers had access to company GitHub account for months before attacksNews Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
-
Warning issued to Salesforce customers after hackers stole Salesloft Drift dataNews Customers were targeted through compromised OAuth access tokens from Salesloft Drift integrations
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Salesforce-based phishing attacks surge 109% since the start of 2024News Threat analysts have uncovered a sophisticated phishing attack imitating emails from Salesforce that are likely bypassing many business email filters
