SUPPLY CHAIN MELTDOWN: Cloudflare, Palo Alto Networks Breached via Salesloft Drift Attack
A massive supply chain attack has hit the heart of the internet's infrastructure. Cloudflare and Palo Alto Networks have confirmed data breaches after attackers compromised a popular third-party sales tool, Salesloft Drift. This incident is a stark reminder that in today's interconnected world, an organization's security is only as strong as its weakest supplier.
The Modern Attack Surface: Your Supplier's Keys are Your Keys
This breach is a powerful illustration of the same third-party risk highlighted in the recent TransUnion data breach. In that case, attackers compromised a third-party application to access TransUnion's customer data. Here, the attackers targeted Salesloft Drift, a widely used AI chatbot and marketing tool, to gain access to the customer relationship management (CRM) data of some of the world's most critical technology companies.cybersecuritydive
The biggest security risk isn't always your own walls, but the doors you give to your suppliers. When a company like Cloudflare or Palo Alto Networks integrates a tool like Drift into their systems, they are extending a level of trust and access to that third party.
How the Attack Happened: The Power of an OAuth Token
The attackers leveraged a compromised OAuth token associated with the Salesloft Drift application's integration with Salesforce. But what is an OAuth token?
Think of an OAuth token as a digital key that allows one application to access data from another on your behalf, without you having to share your password. For example, when you allow a third-party app to access your Google Drive, you are granting it an OAuth token.
In this case, Drift had been granted OAuth tokens to interact with the Salesforce instances of its customers. Once the attackers compromised Drift, they were able to use these pre-authorized tokens to access and exfiltrate large volumes of data from the corporate Salesforce accounts of hundreds of organizations, including :thehackernews
-
Cloudflare
-
Palo Alto Networks
-
Zscaler
-
Proofpoint
The threat actor, tracked as UNC6395 or GRUB1, systematically exported data between August 8th and August 18th, searching for sensitive information like API keys, credentials, and customer contact details that could be used in future targeted attacks.linkedin+1
The Impact and Response
-
Cloudflare confirmed that the attackers accessed customer support tickets and related data from their Salesforce tenant. They have rotated any credentials that may have been exposed and are contacting affected customers.infosecurity-magazine
-
Palo Alto Networks stated that the breach involved mostly business contact information and internal sales data. They are also reaching out to customers who may have had more sensitive data exposed.unit42.paloaltonetworks+1
-
Salesloft has taken Drift offline temporarily and engaged cybersecurity firm Mandiant to assist in their investigation.thehackernews
-
Salesforce has temporarily disabled all Salesloft integrations as a precautionary measure.thehackernews
This incident underscores the critical importance of a "zero trust" approach to security, where no entity—internal or external—is trusted by default. Organizations must continuously vet their third-party suppliers and limit the access they are granted to only what is absolutely necessary. For users, this serves as another reminder that your data is often in the hands of companies you've never directly interacted with.
more alfaiznova.com
Join the conversation