Full Report
It looks like ShinyHunters and Scattered Spider have found yet another way to compromise Salesforce customers. Lawrence Abrams reports: Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. Salesloft’s SalesDrift is a third-party platform that connects... Source
Analysis Summary
# Incident Report: Salesloft OAuth Token Theft and Salesforce Data Exfiltration
## Executive Summary
The sales automation platform Salesloft was breached, leading to the theft of OAuth and refresh tokens associated with its SalesDrift integration for Salesforce. Threat actors leveraged these compromised tokens to access and exfiltrate sensitive data from Salesloft's customers via their Salesforce instances over a ten-day period. The primary goals appeared to be the theft of AWS access keys, passwords, and Snowflake tokens.
## Incident Details
- Discovery Date: August 26, 2025
- Incident Date: August 8 to August 18, 2025 (Period of data theft)
- Affected Organization: Salesloft
- Sector: Sales Automation / Software (SaaS)
- Geography: Not explicitly disclosed (Implied global reach via Salesforce customers)
## Timeline of Events
### Initial Access
- Date/Time: Pre-August 8, 2025
- Vector: Compromise of the Salesloft platform (Specific initial vector not detailed).
- Details: Attackers gained access that allowed them to steal OAuth and refresh tokens linked to the SalesDrift integration for Salesforce.
### Lateral Movement
- **Vector:** Exploitation of stolen Salesloft OAuth/Refresh tokens.
- **Details:** Attackers pivoted from the compromised Salesloft environment into connected customer Salesforce instances using the valid tokens.
### Data Exfiltration/Impact
- **Date Range:** August 8 to August 18, 2025
- **Details:** Data theft occurred within customer Salesforce environments. Specific stolen data included AWS access keys, passwords, and Snowflake-related access tokens.
### Detection & Response
- **Detection:** Disclosed on August 26, 2025, following discovery by Salesloft/External Sources (reported by Lawrence Abrams).
- **Response actions taken:** Salesloft issued an advisory detailing the event. (Specific containment/eradication steps are not detailed in the provided text).
## Attack Methodology
- **Initial Access:** Compromise of Salesloft systems leading to token theft.
- **Persistence:** Maintained via possessing valid OAuth/Refresh tokens.
- **Privilege Escalation:** Not explicitly stated, but the use of valid tokens implies the attackers achieved the necessary permissions within customer Salesforce environments.
- **Defense Evasion:** Use of legitimate OAuth tokens likely bypassed typical network defenses for initial access to customer data stores.
- **Credential Access:** Focused on stealing AWS keys, passwords, and Snowflake tokens from compromised customer data.
- **Discovery:** Attackers likely performed discovery within the connected Salesforce instances.
- **Lateral Movement:** Pivoting from Salesloft to connected customer Salesforce environments using stolen tokens.
- **Collection:** Gathering sensitive credentials and access data.
- **Exfiltration:** Data theft conducted between August 8 and August 18, 2025.
- **Impact:** Unauthorized access and theft of sensitive credentials hosted within customer Salesforce environments.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Sensitive credentials, specifically AWS access keys, passwords, and Snowflake-related access tokens, were exfiltrated from customer environments.
- **Operational:** Potential disruption to customer operations due to unauthorized access to cloud infrastructure (AWS/Snowflake).
- **Reputational:** Negative impact on Salesloft's trust and security standing.
## Indicators of Compromise
(No specific artifacts provided in text, but would focus on use of anomalous tokens)
- **Network indicators - defanged:** N/A (Focus was internal token usage)
- **File indicators:** N/A
- **Behavioral indicators:** Anomalous access patterns or data retrieval originating from the SalesDrift integration service account within customer Salesforce instances during the specified window (Aug 8-18).
## Response Actions
- **Containment measures:** Issuing a security notification/advisory. (Likely immediate revocation/rotation of compromised SaaS tokens).
- **Eradication steps:** (Not detailed, assumed to involve reviewing and severing unauthorized access paths).
- **Recovery actions:** (Not detailed, likely customer-focused required rotation of credentials stolen).
## Lessons Learned
- **Key takeaways:** Third-party integrations utilizing broad OAuth scopes (like that between Salesloft SalesDrift and Salesforce) represent a significant supply chain risk, allowing attackers to pivot into multiple downstream customers.
- **What could have been done better:** Stricter controls or minimization of the scope of permissions granted via the SalesDrift OAuth tokens, and enhanced monitoring for the lifecycle/usage of these tokens.
## Recommendations
- **Prevention measures for similar incidents:** Implement least-privilege access for all third-party application integrations (OAuth). Mandate regular rotation schedules or review of all active integration tokens/refresh tokens. Improve monitoring specifically for unusual data access/exfiltration activities tied to service accounts or platform integrations.