Thought Leadership
Following the large-scale attack on Salesforce customers via the Salesloft Drift interface, Proofpoint, SpyCloud, Tanium and Tenable have now also confirmed data losses. The attack is said to have affected more than 700 companies in total.
At the end of August, it became known that cybercriminals from the UNC6395 group misused OAuth tokens from the chatbot platform Salesloft Drift to gain large-scale access to Salesforce data. Google’s threat analysis team documented how the perpetrators targeted valuable information such as cloud access, passwords and database tokens.
Damage reports on the rise
The incident, which originally appeared to be limited to Drift users, quickly spread. Google also confirmed Workspace compromises two days later, followed by reports of damage at Cloudflare, Palo Alto Networks and Zscaler.
The latest admissions come from four established security providers:
Proofpoint admitted that attackers were able to access Salesforce databases via the Drift Connector. At the same time, the company assured that product systems, customer data and internal infrastructures remained unaffected.
SpyCloud reported that standard CRM fields had been compromised, while end user data has been spared as things stand. Affected business partners have already been informed.
Tanium lost names, email addresses, phone numbers and location details to the intruders. The company emphasized that only Salesforce content was affected – its own platform remained untouched.
Tenable reported the outflow of support ticket data including subject lines, problem descriptions and business contacts. There were no indications of data misuse.
All those affected initiated emergency measures: credential changes, application removal and stricter system monitoring were part of the standard repertoire of damage limitation.
