Salesforce environments are under attack. The culprit appears to be an exploited integration with Drift, and may not be limited to Salesforce.
Google’s security team is warning of ‘massive theft’ from Salesforce environments. Attacks have reportedly been ongoing since August 8. According to Google, the attackers know exactly what they’re looking for: they’re after sensitive information such as cloud keys, passwords, and login tokens.
Compromised Integrations
Google points to an integration with Drift, a platform for real-time interaction with customers and website visitors. Through this integration, hackers gained access to numerous Salesforce accounts. The group misused authentication tokens to export large amounts of company data.
The attacks primarily target Salesforce environments, but Google doesn’t rule out exploitation of integrations between Drift and other applications. Attackers have reportedly also attempted to infiltrate Google Workspace accounts. Google advises companies using Drift to review connections with other applications. Both Google and Salesforce have disabled the integration with their platforms as a precaution.
The researchers further recommend renewing related API keys, passwords, and tokens. Organizations would also do well to check their logs for suspicious activities, such as unusual queries and login attempts from Tor networks. The blog post contains a list of suspicious IP addresses that may indicate compromise.
Data Breach at Google
Google couldn’t prevent an earlier data breach via Salesforce. This month, several large companies were also affected by data breaches. Here, attackers used social engineering to gain access to the customer environment. There appears to be no direct connection to this attack campaign, which is attributed to different perpetrators.
read also
Hackers Primarily Breach Systems through People: Social Engineering Attacks on the Rise
Salesforce has enlisted Google subsidiary Mandiant for more extensive investigation and is communicating through its own channels. Both companies emphasize that none of their core systems have been affected.