Salesforce Customers Affected by Data Breach via Third-Party App

Compromised OAuth tokens through a third-party app have led to extensive data breaches on Salesforce CRM platform instances by an unidentified threat actor. The implicated third-party app is Salesloft Drift, a revenue orchestration platform utilizing artificial intelligence.

Salesloft has confirmed the data breach, which began on August 8, and has notified all affected customers. Details on how the threat actor, identified as UNC 6395, acquired OAuth tokens from Salesloft to extract data from Salesforce instances were not disclosed.

Salesloft has engaged a digital forensics and incident response team to investigate the incident and is collaborating with Salesforce to provide customers with detailed information on the attacker's actions. Google's Threat Intelligence Group (GTIG) and Mandiant security team reported that the threat actor systematically exported large volumes of data from numerous corporate Salesforce instances.

GTIG and Mandiant did not specify the amount of data exfiltrated or the affected customers. The threat actor's queries focused on obtaining record counts from Salesforce objects, followed by user data such as email addresses, login dates, and contact information.

All active Salesloft access tokens have been revoked and refreshed for the Drift application, requiring administrators to reauthenticate with Salesforce. Salesforce has removed Salesloft Drift from its AppExchange pending investigation.