The Salesloft Vulnerability Didn’t Just Affect Salesforce

Ultimately, the Salesloft flaw is not limited to Salesforce. It also affected Google Workspace.

The issue sits at the level of the API of the chatbot Salesloft Drift*. Third parties were able to obtain authentication tokens, thereby compromising connections with third-party applications.

At present, Salesforce appears to be the primary target. Instances were targeted during a campaign that lasted at least from August 8 to August 18. Mandiant attributes it to a new activity cluster, which it names UNC6395. Its primary objective seems to have been to steal credentials, notably AWS access keys and Snowflake tokens.

Other potentially compromised integrations

On August 20, Salesloft issued a warning. It stated that the issue affected only customers who had activated the Salesforce integration.
Google does not say the same: its office suite was also touched. A “small number of email accounts” were targeted, again via OAuth tokens, in the context of the Drift Email integration.

Under these circumstances, Google adds, one must consider that any secret stored in or connected to Drift is potentially compromised. And thus, preferably, revoke it. The opportunity, it adds, to harden access control (IP address restrictions, applying the principle of least privilege) and to reset user passwords.

Salesforce had initially removed Drift from its AppExchange until further notice. It ultimately banned connections with all Salesloft applications.

A figure circulating places the number of affected organizations at 700.

* Salesloft had acquired Drift in early 2024. The vendor, which offers business-management solutions, counts several IT industry clients among its references, including Boomi, IBM, Okta, OpenText, Proofpoint, Pure Storage, and Wrike.