Salesforce has informed customers that it will not pay ransom to hackers threatening to publish stolen customer data. The hack is believed to be linked to a security incident at third-party provider SalesLoft, specifically its Drift app, which is integrated with Salesforce for automated customer communications.
According to an internal memo seen by Bloomberg, Salesforce has reliable indications that the hacker group ShinyHunters intends to share stolen information on online forums. The company emphasizes that it will not negotiate or comply with any form of extortion. Salesforce says it is in contact with affected customers and is offering them support.
The data theft took place earlier this year via SalesLoft’s Drift app, not through vulnerabilities in Salesforce itself. The stolen information consists mainly of customer contact details and basic information about IT support. In some cases, the loot also included access tokens and details about customers’ IT configurations.
The cause of the series of data breaches appears to be an error at SalesLoft. From March to June, attackers had access to the company’s GitHub account. In doing so, they stole tokens that linked the Drift app to Salesforce environments. From that starting point, the attacker was able to penetrate Drift’s AWS environment and obtain OAuth tokens from customer companies.
Hundreds of organizations affected
Those tokens provided access to data at hundreds of organizations, including Cloudflare, Zscaler, Palo Alto Networks, CyberArk, Rubrik, Nutanix, Ericsson, and JFrog. The impact varied from company to company: for some, it involved CRM fields, for others, support cases, or limited integration data.
Researchers from the Google Threat Intelligence Group warned in August about a large-scale campaign targeting Salesforce customers via the Drift app, in which attackers sought login details, passwords, and tokens for database access.
In mid-August, SalesLoft called on users to renew their access tokens to prevent further breaches. The company has not yet publicly responded to the incident.
A Salesforce spokesperson stated that integrations with SalesLoft technology have been reactivated, except for the Drift app, which remains disabled for the time being. The number of customers affected by the data breach is unknown.