Big Businesses Hit With Attacks In Salesloft Drift Breach Wake

Here are some of the enterprises that have reported related breaches in the last few days.

After Salesforce customer instances were targeted in a “widespread” data theft attack, from around Aug. 8 to 18, several large enterprises have reported their own data breaches in the days following.

On Aug. 26, the Google Threat Intelligence Group (GTIG) released its findings that Salesforce customer instances were targeted through compromised OAuth tokens associated with the Salesloft Drift third-party application. GTIG said that a threat actor which it tracks as “UNC6395” was responsible for the attack.

Salesloft acquired Drift in February 2024.

On Aug. 28, GTIG updated its findings with an advisory that the attack was not limited to Saleforce’s integration with the Salesloft Drift app and advised that any customer using the Salesloft app should “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”

Reports across the internet are pointing to the Salesloft Drift breach as the source of these fallout attacks.

Here are some of the enterprises that have reported breaches in the last few days:

Zscaler and Palo Alto Networks: Both tech companies confirmed they had experienced data breaches that were related to the Salesloft Drift attack, MES Computing’s sister publication, CRN reported.

Transunion: On Aug.28, credit firm Transunion confirmed that more than 4 million of its customers’ data was stolen in a cyberattack, Reuters reported.

There were some online reports that attributed the Transunion attack to the Salesloft-Drift breach. However, Transunion would not confirm that as such in a statement to MES Computing.

“TransUnion recently experienced a cyber incident that affected a third-party application serving our U.S. consumer support operations. Upon discovery, we quickly contained the issue, which did not involve our core credit database or include credit reports,” the statement read.

Transunion said that it found that the incident “involved unauthorized access to limited personal information for a very small percentage of U.S. consumers.”

In response, the company said it is working with authorities as well as third-party cybersecurity experts to conduct an “independent forensics review.”

“Additionally, we will notify affected consumers and provide credit monitoring services,” Transunion said in its statement.

Farmers Insurance: The insurance giant said that more than a million of its customers had data stolen as the result of an attack, The Register reported on Aug. 26.

While Farmers would not confirm if its data breach was related to the Drift hack, the company said the cause was “an unauthorized third-party" that had “briefly accessed a vendor’s system that contained some Farmers’ customer information,” in a statement to MES Computing.

“At Farmers, protecting our customers’ information is our top priority ... An investigation—conducted with both internal and external security experts—found no evidence that the exposed data has been misused, nor any indication that Farmers’ own systems were compromised. We are contacting affected individuals directly and are providing support resources, including complimentary credit monitoring,” the statement read.

Salesforce, for its part, said, “the Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology. We know how disruptive and stressful these incidents can be, and our teams are fully engaged to support affected customers and help minimize any impact.”

Salesforce further advised customers to refer to its blog post on best practices for organizations to protect themselves against the rise in social engineering threats and to the Google Threat Intelligence Group’s blog post that breaks down how organizations can harden their defenses against social engineering attacks.