Salesforce ‘Refuses to Pay Ransom’ After Salesloft Drift Hack
Salesforce is refusing to pay a ransom demand from a hacker threatening to publish stolen client data following the Salesloft Drift attack, according to reports.
On October 2, the cloud giant issued a security notification saying that they are “aware of recent extortion attempts by threat actors”, adding that their investigation had found that these “relate to past or unsubstantiated incidents”.
Salesforce stressed that, at this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in their technology.
But, according to an email seen by Bloomberg News, the company said that it had received “credible threat intelligence” indicating that the ShinyHunters hacking group was planning to share information stolen earlier in the year.
Note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners should prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.
Salesforce ‘Will Not Negotiate With Extortion Demand’
Bloomberg reported this incident relates to the hacking of the Salesloft Drift app.
A Salesforce spokesperson told Salesforce Ben they “will not engage, negotiate with, or pay any extortion demand”.
Bloomberg reported that, in the email they had seen, Salesforce stated that hackers appear to have compiled records taken from the Drift app into a large dataset, which was put up for sale on a cybercrime forum last week.
Most of the information stolen through the Drift app was customer contact information and basic IT support data, but in some cases it also included access tokens for user authorization and information about a customer’s IT configuration, reports say.
Salesforce Ben has contacted Salesloft for comment.
Salesloft Drift Hack Explained
In the Salesloft hacking incident, Salesforce customers were targeted through the third-party application, Salesloft Drift.
Google Threat Intelligence Group (GTIG) had earlier this year said that the data theft campaign started as early as August 8 and ran until at least August 18.
Hackers targeted Salesforce instances through compromised OAuth tokens associated with Drift.
Salesloft had initially indicated that customers who do not integrate with Salesforce were not impacted, but GTIG revealed that the Drift hack was worse than previously thought.
New information revealed that the scope of the compromise was not exclusive to the Salesforce integration with Salesloft Drift – and OAuth tokens for the “Drift Email” integration were also compromised.
Salesforce disabled all integrations between Salesforce and Salesloft technologies, including the Drift app, and GTIG advised all Salesloft Drift customers to treat “any and all” authentication tokens stored in or connected to the Drift platform as potentially compromised.
In an update posted on September 2, Salesloft said Drift would be taken down “temporarily” to boost its security.
On September 7, Salesforce said it had re-enabled integrations with Salesloft technologies, apart from any Drift app.
Final Thoughts
This news comes following reports that voice phishing hackers are claiming to have stolen nearly 1B Salesforce records, so it’s yet more bad news for Salesforce ahead of Dreamforce.
But the cloud giant stresses that, at this time, there is no indication that the Salesforce platform has been compromised, nor is this activity “related to any known vulnerability in our technology”.
Have you been affected by the hacks? Email tips@salesforceben.com
Stay up to date with the latest hacking news by reading our hub post here.
