Salesloft: Hacker broke into systems in March through GitHub account

AI company Salesloft said hackers breached its systems in March through a GitHub account, paving the way for a massive data breach impacting dozens of large organizations. 

The company published the preliminary findings from an investigation conducted by incident responders at cybersecurity firm Mandiant, writing that a threat actor accessed a Salesloft GitHub account from March to June.

“With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows,” the company explained in a new notice to customers on Saturday. 

The hacker spent months performing reconnaissance activities on both Salesloft application environments as well as those for Drift, an AI chatbot company that Salesloft acquired last year. The tool is typically integrated with other systems to track engagements with customers and is connected to data storage systems from cloud giant Salesforce.

Mandiant found that the threat actor was able to access Drift’s AWS environment and stole authentication tokens for customers’ technology integrations. That allowed them to access customer data. 

In response to the data theft campaign, Salesloft isolated Drift’s infrastructure, took it offline, changed the stolen credentials and more. 

“Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review,” Salesloft said.

On Sunday, Salesloft said it restored the integration between their platform and Salesforce — which initially severed the connection after the incident came to light last week. 

Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told Recorded Future News that they are aware of at least 700 victims related to the theft of Salesforce Salesloft Drift oAuth tokens. 

“However, we’re telling organizations to treat any Drift integration into any platform as potentially compromised, so that increases the scope of potential victims,” Larsen added. 

Victims emerge

Executives at companies including Cloudflare, Zscaler and Palo Alto Networks published blog posts last week outlining the impact of the incident.

In the last six days, companies like Nutanix, Elastic, Cato Networks, Tenable, Rubrik and Proofpoint have also confirmed being impacted by the data thefts. 

Canadian online investment management service Wealthsimple said on Friday that customers’ government IDs, account numbers, Social Insurance numbers, dates of birth and contact details were accessed but no funds were stolen and the incident was contained within hours.

Most companies used Salesloft Drift to store and manage customer support information and the hackers largely stole information related to support tickets. 

Several of the companies said any information a customer may have shared — like logs, tokens or passwords — should be considered compromised. 

Others said much of the stolen data involved customer business contact details and specific Salesforce related content, including names, business email addresses, phone numbers and location details.

Rom Carmel, CEO of cloud security firm Apono, said the Salesloft breaches need to serve as a wake-up call to shift from just securing human risers to also protecting non-human identities like API tokens and service accounts. 

“This incident highlights a significant systemic blind spot in how organizations manage ‘Non-Human Identities’ like API tokens, which are used for communication between platforms,” he said.

“As the business world becomes more interconnected, organizations must recognize that their security posture is only as strong as that of their vendors and customers.”