Salesforce customers have been targeted in yet another data theft campaign – this time carried out through the third-party application, Salesloft Drift.   Hackers targeted Salesforce instances through compromised OAuth tokens associated with Salesloft Drift, and then systematically exported “large volumes of data” from numerous corporate Salesforce instances, according to GTIG (Google Threat Intelligence Group).  The primary intent of the threat actor was to “harvest credentials”, Google says. Once compromised, attackers searched for secrets that might potentially be used to compromise other systems integrated with Salesforce. 

Is the CaseCloud application at risk from the Salesloft Drift application vulnerability?

There is a Salesforce help article created for this issue: Ongoing Security Response to Third-Party App Incident.  Moving forward, all new updates and resources to assist will be shared via this help article.

I found several other articles with varying information:

• Salesforce Trust: Security Advisory: Unusual Activity in a Third-Party Connected App
• Salesforce Ben: Salesforce Customers Targeted in New Data Hacks Through Salesloft Drift
• Google Cloud: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

Salesforce has shut down all Drift access and removed the app from the AppExchange.  Google recommends that organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and take immediate remediation steps.

From a CaseCloud perspective, our customers should not be impacted. As informed within this data breach notification:

• The impacted customers have already been notified.

• Any Salesforce customer who does not use Salesdrift Integration is not impacted.

• CaseCloud apps do not use Salesdrift.