Salesloft AI Agent Hit by Widespread Data Theft, Google Cautions of Rising Threats
Google Cautions that Widespread Data Theft Affecting the Salesloft AI Agent has Increased
According to Google, assume that all Salesloft credentials have been compromised following the Workspace hack.
After it was discovered that some of the credentials were exploited by unidentified attackers to access email from Google Workspace accounts, Google is warning users of the Salesloft Drift AI chat agent to consider all security tokens associated with the platform compromised.
As part of its investigation, Google has blocked connectivity between the Salesloft Drift agent and all Workspace accounts and invalidated the tokens used in the breaches. All impacted account holders have also been informed of the compromise by the company.
Scope Expanded
The finding, which was revealed in an advisory update on Thursday, suggests that a Salesloft Drift breach that was disclosed on Tuesday is more extensive than was previously thought. The compromised tokens were restricted to Salesforce integrations with Salesloft Drift, according to Google Threat Intelligence Group members, prior to the update. Google changed that assessment once the Workspace accounts were compromised.
According to the update released on Thursday, “the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,” according to fresh information discovered by GTIG. “All Salesloft Drift users are now advised to consider any authentication tokens linked to or stored within the Drift platform as possibly compromised.”
The new information was not mentioned on Salesloft’s security advisory website on Thursday, which maintained that the incident only impacted Drift interfaces with Salesforce. An email requesting confirmation of the Google discovery was not immediately answered by company staff.
Salesloft An AI-powered chatbot called Drift enables websites to engage with prospective clients in real time in a manner similar to that of a human. The Drift platform was purchased by Salesloft eighteen months ago. Drift may link with a number of other services, such as Slack, Google Workspace, Salesforce (which is unrelated to Salesloft), and other CRM platforms, in order to expedite the sales process.
Google announced on Tuesday that a gang of attackers it monitors, known as UNC6395, had launched a widespread data theft campaign that gained access to Salesforce instances by using hacked Drift OAuth credentials. After gaining access, the attackers looked through the Salesforce accounts for credentials that would allow them to access accounts on services like AWS and Snowflake. The theft spree started on August 8 at the latest and continued until at least August 18. Salesforce suspended Drift interfaces with its primary cloud service, Slack, and Pardot platforms in response to the finding.
According to Google’s report on Thursday, the situation has probably not been completely isolated.
According to the update, “We advise organizations to act immediately to examine all third-party integrations linked to their Drift instance, remove and switch out login credentials for those programs, and look into all linked systems for indications of unauthorized access.” It continued by saying that Salesloft has now hired Mandiant, an incident response firm owned by Google, to look into the breach.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Linux UDisks Daemon Vulnerability allows Attackers Access to Privileged User Files
About Author
English