Attackers steal OAuth tokens to access third-party sales platform, then CRM data in 'widespread campaign'

Google says a recent spate of Salesforce-related breaches was caused by attackers stealing OAuth tokens from the third-party Salesloft Drift app.

Drift is used for automating sales processes, and it integrates with Salesforce databases, pulling relevant information such as leads and contact details into the platform to help coordinate pitches.

Crucially, the campaign is being treated separately from the attacks on high-profile organizations – including Google itself – that also involved Salesforce data thefts.

Attacks on the likes of Allianz Life, Workday, Qantas, LVMH brands, and more have been widely reported over the summer, but aren't thought to be linked to the Salesloft compromise.

Instead, these incidents have widely been attributed to and claimed by the ShinyHunters group (UNC6240). Google says there isn't enough evidence to suggest the same attackers are behind the Salesloft incidents.

While Salesforce customers have been targeted since May, it's believed these were more a ...