All news with #oauth app abuse tag

🔒 A sophisticated adversary exploited legitimate OAuth tokens issued to Salesloft's Drift chatbot integration with Salesforce, using the connection to silently exfiltrate customer data between August 8–18, 2025, according to Google Threat Intelligence Group. The campaign, attributed to UNC6395, leveraged trust in third-party integrations and service-to-service tokens to maintain covert access. Organizations should reassess OAuth governance, entitlement controls, and logging for SaaS integrations to reduce exposure.

🔒 Palo Alto Networks confirmed a Salesforce data breach after attackers abused OAuth tokens stolen in the Salesloft Drift supply-chain incident to access its CRM. The intruders exfiltrated business contact, account records and support Case data, which in some instances contained sensitive IT details and passwords. Palo Alto says products and services were not affected, tokens were revoked, and credentials rotated.

🔒 Palo Alto Networks confirmed a Salesforce CRM breach after attackers used compromised OAuth tokens from the Salesloft Drift incident to access its instance. The intrusion was limited to Salesforce and exposed business contacts, account records and portions of support cases; technical attachments were not accessed. The company quickly disabled the app, revoked tokens and said Unit 42 found no impact to products or services.

🔐 Palo Alto Networks confirmed last week that a breach of Salesloft’s Drift third‑party application allowed unauthorized access to customer Salesforce data, affecting hundreds of organizations including Palo Alto Networks. We immediately disconnected the vendor integration from our Salesforce environment and directed Unit 42 to lead a comprehensive investigation. The investigation found the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and exposed data primarily included business contact information, internal sales account records and basic case data. We are proactively contacting a limited set of customers who may have had more sensitive data exposed and have made support available through our customer support channels.

⚠️ Unit 42 observed a campaign that abused the Salesloft Drift integration using compromised OAuth credentials to access and exfiltrate data from customer Salesforce instances. The actor performed large-scale extraction of objects including Account, Contact, Case and Opportunity records and scanned harvested data for credentials. Salesloft revoked tokens and notified affected customers; organizations should immediately review logs, rotate exposed credentials and hunt for the provided IoCs.

🔒 Zscaler has disclosed that OAuth tokens tied to the third-party Salesloft Drift application were stolen, allowing an attacker to access its Salesforce instance. The company said exposed data included business contact details, job titles, phone numbers, regional information, product licensing and some plain-text support case content, but not attachments or images. Zscaler revoked the app's access, rotated API tokens, implemented additional safeguards and urged customers to remain vigilant for phishing and social-engineering attempts.

🔒 Amazon's threat intelligence team identified and disrupted a watering hole campaign conducted by APT29, a group linked to Russia’s SVR. The actor compromised legitimate websites and injected obfuscated JavaScript to redirect a subset of visitors to attacker-controlled pages that mimicked Cloudflare verification. The campaign aimed to abuse Microsoft's device code authentication flow to trick users into authorizing attacker-controlled devices; Amazon isolated affected EC2 instances and coordinated with partners to disrupt infrastructure and share intelligence.

🔐 Google and Mandiant warn Salesloft Drift customers that OAuth tokens tied to the Drift platform should be treated as potentially compromised. Stolen tokens for the Drift Email integration were used to access email from a small number of Google Workspace accounts on August 9, 2025; Google stressed this is not a compromise of Workspace or Alphabet. Google revoked affected tokens, disabled the Workspace–Drift integration, and is urging customers to review, revoke, and rotate credentials across all Drift-connected integrations while investigations continue.

🔒 Google warns that the Salesloft Drift compromise is larger than first reported and included theft of OAuth tokens beyond the Salesforce integration. Threat actors used stolen tokens tied to the Drift Email integration to access a very small number of Google Workspace email accounts on August 9. Google says the tokens have been revoked, the Drift–Workspace integration is disabled, and affected customers were notified. Organizations using Drift should revoke and rotate all connected authentication tokens and review integrations for exposed secrets.

🔒 A campaign tied to threat actor UNC6395 exploited compromised OAuth and refresh tokens associated with the Drift chat integration to exfiltrate data from Salesforce instances connected via Salesloft. Observed between Aug 8 and Aug 18, 2025, the actor executed targeted queries to retrieve Cases, Accounts, Users and Opportunities and hunted for credentials such as AWS access keys and Snowflake tokens. Salesloft and Salesforce invalidated tokens, removed Drift from AppExchange, and advised affected customers to re-authenticate integrations and rotate credentials.

🔒 GTIG warns of a widespread data-theft campaign by UNC6395 that abused compromised OAuth tokens for the Salesloft Drift connected app to export data from multiple Salesforce customer instances between Aug. 8 and Aug. 18, 2025. The actor executed SOQL queries against objects including Accounts, Cases, Users, and Opportunities to harvest credentials and secrets—observed items include AWS access keys, Snowflake tokens, and passwords. Salesloft and Salesforce revoked tokens and removed the Drift app from the AppExchange; impacted organizations should search for exposed secrets, rotate credentials, review Event Monitoring logs, and tighten connected-app scopes and IP restrictions.