Salesloft, an Atlanta-based sales software company, was hit by a hack of its artificial intelligence chat platform that has snowballed into a widespread data theft campaign.
Experts estimate at least 700 organizations are potentially impacted.
“We are aware that there certainly were secrets that belonged to victims that were in this data,” said a Google Cloud spokesperson, who did not wish to be identified for fear of retaliation. Google has been helping Salesloft in its investigation. Salesloft did not respond to multiple requests for comment.
The target of the attack was the Salesloft Drift platform, an AI chatbot that other companies can integrate into their websites. The bot can show up as a little chat icon on the bottom right of a homepage for potential customers to ask questions or get help.
The information a customer gives that chatbot could be a sales lead, so a company would want to make sure the data is captured by the platform where it manages those types of leads, such as customer relationship management platform Salesforce.
But to allow Drift to pass information to Salesforce or another third-party, a company had to give Drift a type of digital key called an “OAuth token,” which gave it access to the other platform. Those tokens are what the cyberattacker targeted.
“Once they steal those tokens, they can use those to log in to Salesforce directly, and whatever those stolen accounts had access to, they could access,” the Google Cloud spokesperson said.
“They stole, for example, Salesforce objects including case files … and downloaded them in bulk,” the Google Cloud spokesperson said in describing findings of the investigation. “And so we’re aware of hundreds of victims where data was stolen in this way.”
But that’s not all the attacker was after, according to the Google Cloud spokesperson. After downloading the data, they started looking through it and doing searches for things like passwords, virtual private networks and Amazon Web Services information.
“They’re looking for other secrets to gain more access to more sensitive systems and like corporate environments,” the spokesperson said.
Salesloft was founded in Atlanta in 2011 by Kyle Porter, with serial tech entrepreneur David Cummings serving as the startup’s chairman and adviser. Porter later brought on Tim Dorr and Rob Forman as co-founders. The company has raised more than $245 million and in early August, it announced it was merging with California-based revenue software platform Clari.
The hack went on for at least 10 days. Starting as early as Aug. 8 and through at least Aug. 18, the attacker targeted companies’ Salesforce accounts using the stolen tokens, according to the Google Threat Intelligence Group.
On Aug. 20, Salesloft put out its first notice that there had been malicious activity in the Drift application. Salesloft took Drift temporarily offline on Friday, saying in a post the company was taking this action “in order to fortify the security of the application and its associated infrastructure. This will provide the fastest path forward to building additional resiliency and security into the system and to return the Drift application to full functionality.”
In response to a request for comment, Salesforce referred to its advisory to customers and noted that “Salesforce has disabled all integrations between Salesforce and Salesloft technologies, including the Drift app; organizations will not be able to connect to Salesforce via any Salesloft apps until further notice.”
But it wasn’t just Salesforce the attacker accessed with the stolen tokens. A small number of Google Workspace users whose accounts were integrated with Salesloft Drift had their emails accessed.
Multiple companies have released statements letting customers know they were impacted by the breach, including cybersecurity firms Zscaler, Palo Alto Networks and Cloudflare.
“As third-party tools increasingly integrate with internal corporate data across the industry, we need to approach each new tool with careful scrutiny. This incident affected hundreds of organizations through a single integration point, highlighting the interconnected risks in today’s technology landscape,” Cloudflare cybersecurity leaders wrote in their post about the breach.
It’s hard to say at this point if people’s personal information has been compromised because it depends on each of the affected companies and how they used the Drift chatbot, or what they stored in Salesforce or another affected third-party platform, according to the Google Cloud spokesperson.
Some hackers have claimed responsibility for the attack, but the Google Cloud spokesperson said at this point the tech giant is taking those claims “with a big grain of salt, especially when they don’t back it up with evidence.”
“Now, that being said, our teams are investigating this actor and this activity, and our assessments over time may change,” the spokesperson said. But as of now, Google can’t say for sure what the actor’s motivations were, whether financial or espionage-related, or even the country the hacker originated from.
About the Author
Keep Reading
The Latest
Featured
