{"id":17435,"date":"2025-09-04T00:30:01","date_gmt":"2025-09-04T00:30:01","guid":{"rendered":"https:\/\/sekuritasit.com\/?p=17435"},"modified":"2025-09-04T00:30:01","modified_gmt":"2025-09-04T00:30:01","slug":"salesloft-drift-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2025\/09\/04\/salesloft-drift-supply-chain-attack\/","title":{"rendered":"Salesloft Drift Supply Chain Attack"},"content":{"rendered":"

What is the Attack?Threat actors tracked as UNC6395 exploited the Salesloft Drift integration, an AI chatbot tool linked to Salesforce and other platforms, to steal access tokens. These tokens allowed them to bypass normal authentication controls and gain access to target environments without directly breaching Salesforce accounts.The attackers then systematically exported sensitive credentials from dozens, and potentially hundreds, of Salesforce customer instances. Exfiltrated data included AWS access keys, Snowflake authentication tokens, VPN credentials, passwords, and API keys.With these tokens, UNC6395 was able to infiltrate not only Salesforce but also Google Workspace, Cloudflare, Zscaler, Palo Alto Networks, and other connected systems. This expanded the impact well beyond CRM data, exposing a wide range of enterprise environments.While initial reports suggested the breach was limited to Salesforce integrations, subsequent investigations confirmed that all Salesloft Drift integrations should be considered compromised.What is the recommended Mitigation?\u2022 Review the Salesloft Advisory and any other advisories from partners affected by the breach. Salesloft Advisory\u2022 Revoke and Reissue TokensImmediately disconnect and regenerate all tokens associated with Salesloft Drift and any connected integrations.\u2022 Audit and Monitor ActivityReview logs in Salesforce, Google Workspace, and other integrated platforms for signs of unusual data exports, hidden jobs, or suspicious API calls.\u2022 Tighten Integration PermissionsEnforce least privilege, restrict API scopes, and apply IP-based access controls to reduce exposure.\u2022 Rotate All Exposed SecretsReplace compromised or potentially exposed credentials, including AWS keys, Snowflake tokens, VPN accounts, and API tokens.\u2022 Defend Against Phishing and ImpersonationMonitor for social engineering attempts targeting employees or customers using leaked contact data.What FortiGuard Coverage is available?\u2022 FortiGuard Labs recommends users to follow best practices and enforce Zero-Trust Security to ensure minimal impact and sensitive data remains tightly restricted.\u2022 FortiGuard Labs Web-filtering Service blocks access to malicious domains, C2 servers, and or phishing sites associated with the campaign.\u2022 FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) and the team is continuously monitoring for new IOCs.\u2022 Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.Read More<\/a>\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

What is the Attack?Threat actors tracked as UNC6395 exploited the Salesloft Drift integration, an AI chatbot tool linked to Salesforce and other platforms, to steal access tokens. These tokens allowed them to bypass normal authentication controls and gain access to target environments without directly breaching Salesforce accounts.The attackers then systematically exported sensitive credentials from dozens, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-17435","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t