Salesloft Vulnerability Leaves Multiple Victims in the IT Sector

Boomi, IBM, Okta, OpenText, Proofpoint, Pure Storage, Wrike… So many IT companies that are or have been customers of Salesloft Drift.

We mentioned them a few days ago, following the discovery of a vulnerability affecting this sales engagement solution. It enabled the theft of API authentication tokens, which in turn allowed third-party applications to be compromised. Salesforce emerges as the main target*. But it seems other integrations were affected as well. Google confirmed this for its suite of office tools: a “small number of email accounts” were targeted as part of the Drift Email integration.

None of the aforementioned companies, to our knowledge, has publicly commented on this matter. Nonetheless, many others in the IT sector have spoken out.

Nutanix and Zscaler acknowledge access to support tickets

Zscaler (cloud security) acknowledges unauthorized access to names, phone numbers, job titles, location data, and “business and license data.” It also gained access to “plaintext” content of some support tickets (no attachments, files, or images).
The company says it has rotated all other API tokens “as a precaution.” And it has strengthened the client authentication protocol during phone calls.

JFrog (software supply chain management) keeps its message concise in public statements: third parties accessed “some data” from its Salesforce instance.

Rubrik offers little detail beyond “exposure of certain information.” It has committed to sending individual notifications if any sensitive data are involved.

PagerDuty (incident management) speaks of partial exposure of names, phone numbers and email addresses.

SpyCloud (identity protection) laments exposure of “standard CRM fields,” but does not believe there was any access to customer data.

Tanium (endpoint management) cites names, phone numbers, email addresses and location data. It adds that it is employing a SSPM (SaaS security posture management) technology to strengthen control over integrations.

Contentsquare (digital experience analytics) notes that its subsidiary Heap — product analytics; acquired in 2023 — was affected. The outcome: access to a “sub-set of Salesforce records.”

Nutanix did not issue a public statement but sent an alert to its customers. “Some Salesforce data tied to your account” were exported by third parties, the company explains. “Limited to [its] customer support services,” they include “contact information” and “ticket-related information, such as notes and the products used by our clients.”

Fivetran (data integration), a Drift user, also issued a statement… announcing that it did not detect any access to its Salesforce. It did revoke its token.

* Instances were targeted during a campaign lasting at least from August 8 to August 18. The primary objective appears to have been to steal credentials, notably AWS access keys and Snowflake tokens. Google estimates that more than 700 organizations were affected.