Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed unauthorized access to data within their Salesforce instances following the recent Salesforce–Salesloft Drift attack.
The campaign, disclosed on August 26 by Google’s threat intelligence team, involved threat actor UNC6395 exploiting compromised OAuth tokens for the Salesloft Drift AI chatbot.
Attackers leveraged the Salesforce–Salesloft Drift integration to exfiltrate sensitive information, including AWS keys, passwords, and Snowflake-related access tokens from hundreds of organizations.
Companies such as Google, Cloudflare, Palo Alto Networks, and Zscaler have already confirmed the impact of the attack. In total, over 700 organizations are estimated to have been compromised.
Also read: Cloudflare Confirms Data Breach in Salesloft Drift Attack
What Proofpoint is saying?
Proofpoint reported that attackers accessed its Salesforce tenant but found no evidence of impact on its products, customer-protected data, or internal networks.
“At this time, there is no evidence that this supply chain incident affected Proofpoint’s software, services, security products, customer-protected data, or internal corporate network,” Proofpoint stated.
“Current findings confirm that an unauthorized actor accessed Proofpoint’s Salesforce tenant through the compromised Drift integration and viewed certain information stored in our Salesforce instance.”
“If further analysis determines that sensitive data was accessed or misused, Proofpoint will notify any affected individuals or organizations consistent with our contractual obligations and applicable regulatory requirements.”
What is SpyCloud saying?
SpyCloud stated that standard CRM fields were exposed, while consumer data remained unaffected.
“We are currently assessing the scope of impact as it relates to our Salesforce instance. At this time, the elements we believe were accessed are standard customer relationship management fields in Salesforce. Consumer data is not believed to have been accessed.”
“We notified our customers last week that data relating to their relationship with SpyCloud was exposed through this Salesloft Drift incident.”
What is Tanium saying?
Tanium disclosed that names, email addresses, phone numbers, and regional details were accessed via the compromised integration, but confirmed no breach of its platform or internal systems.
“Based on our investigation, the information that may have been compromised in our Salesforce instance was primarily limited to the following commonly available business contact information such as names, business email addresses, phone numbers and regional/location references.”
“Additionally, we can confirm definitively that unauthorized access was limited to our Salesforce data and no access to the Tanium platform or any other internal systems or resources took place.”
What is Tenable saying?
“Our ongoing investigation found evidence that an unauthorized user had access to a portion of some of our customers’ information stored in our Salesforce instance, including subject lines and initial descriptions provided by our customers when opening a Tenable support case, and commonly available business contact information (such as names, business email addresses, phone numbers, and regional/location references)” Tenable said.
“At this time we have no evidence that any of this information has been misused. “
About Author
