Salesloft Shuts Down Drift Temporarily Following OAuth Token Theft Affecting Numerous Organizations

 
Sep 03, 2025
Data Breach / Threat Intelligence

Salesloft announced on Tuesday the temporary suspension of Drift, slated to occur “in the very near future,” due to an extensive supply chain attack impacting multiple companies. This breach has led to the widespread theft of authentication tokens linked to the marketing software-as-a-service platform. The company stated, “This action will allow us to thoroughly review the application and enhance its resilience and security before restoring full functionality.” Consequently, the Drift chatbot on customer websites will be offline, and Drift itself will not be accessible. Salesloft emphasized its commitment to preserving the integrity and security of its systems and customers’ data, collaborating with cybersecurity partners Mandiant and Coalition as part of their incident response strategy. This announcement follows a disclosure from Google Threat Intelligence Group (GTIG) and Mandiant regarding the ongoing threats.

Salesloft to Temporarily Suspend Drift Following Widespread OAuth Token Theft

September 3, 2025

In a significant development within the cybersecurity landscape, Salesloft has announced plans to take its Drift service offline imminently. This decision follows a widespread supply chain attack that has affected numerous organizations, leading to the unauthorized acquisition of authentication tokens associated with the marketing software-as-a-service product.

Salesloft’s move comes as a proactive measure to facilitate a thorough review of the Drift application, with the aim of bolstering both its resiliency and security protocols before restoring full operations. The company has confirmed that the Drift chatbot service will be unavailable across customer websites during this maintenance period, effectively restricting access to the Drift platform.

Prioritizing the security and integrity of its systems and customer data, Salesloft has enlisted the expertise of cybersecurity firms Mandiant and Coalition to aid in its incident response efforts. Their collaboration will focus on uncovering the nature of the attack and addressing vulnerabilities that may have been exploited.

This breach is particularly concerning, as recent intelligence from the Google Threat Intelligence Group (GTIG) and Mandiant indicates that multiple entities have been affected. While specific organizations have not been publicly identified, the ramifications of this incident highlight the ongoing vulnerabilities within software supply chains used by tech companies, particularly in the U.S.

The attack’s methodology aligns with several tactics outlined in the MITRE ATT&CK framework. Initial access may have been gained through compromised authentication tokens, allowing adversaries to infiltrate systems undetected. Techniques related to privilege escalation may have facilitated further unauthorized actions within affected networks, amplifying the potential damage across multiple organizations.

Salesloft’s decision to pause Drift not only reflects awareness of immediate threats but also underscores the critical importance of maintaining stringent security measures in the face of evolving cyber threats. Business owners are reminded that such breaches can have far-reaching implications, not just for those directly targeted, but for the wider ecosystem of partners and customers as well.

As the investigation unfolds and systems are fortified, the cybersecurity community remains vigilant. The focus will undoubtedly be on ensuring that lessons are learned from this incident to prevent future occurrences, emphasizing the necessity for robust security frameworks and ongoing diligence in protecting sensitive data.

Source link

Related Posts

CISA Includes TP-Link and WhatsApp Vulnerabilities in KEV Catalog Due to Ongoing Exploitation

September 3, 2025
Vulnerability / Mobile Security

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting TP-Link TL-WA855RE Wi-Fi Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing signs of active exploitation. The vulnerability, identified as CVE-2020-24363 (CVSS score: 8.8), involves a missing authentication flaw that can be exploited to gain elevated access to the device. CISA noted that “this vulnerability could enable an unauthenticated attacker on the same network to send a TDDP_RESET POST request for a factory reset and reboot,” allowing them to establish incorrect access control by setting a new administrative password. According to malwrforensics, the issue has been addressed in firmware version TL-WA855RE(EU)_V5_200731. However, it’s important to mention that this product has reached end-of-life (EoL) status, making future patches or updates unlikely. Users of the Wi-Fi range extender are therefore advised to take caution.

Cloudflare Successfully Thwarts Unprecedented 11.5 Tbps DDoS Attack

Cloudflare announced on Tuesday that it effectively mitigated a record-breaking volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). In a recent post on X, the web infrastructure and security provider revealed, “In recent weeks, we’ve autonomously blocked numerous hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bbps and 11.5 Tbps.” The attack, primarily a UDP flood originating from Google Cloud, lasted only about 35 seconds, highlighting the company’s robust defense mechanisms at work. Volumetric DDoS attacks aim to overwhelm a target with excessive traffic, causing server slowdowns or failures, often resulting in network congestion, packet loss, and service disruptions. Typically, these attacks are executed using botnets controlled by threat actors.

Iranian Hackers Compromise Over 100 Embassy Email Accounts in Global Diplomat Phishing Campaign

Sep 03, 2025
Data Breach / Cyber Espionage

A group linked to Iran has been identified as the perpetrator of a “coordinated” and “multi-wave” spear-phishing campaign targeting embassies and consulates across Europe and beyond. Israeli cybersecurity firm Dream has attributed this activity to Iranian-aligned operators associated with a broader offensive cyber initiative known as Homeland Justice. “Phishing emails were sent to numerous government officials worldwide, masquerading as legitimate diplomatic correspondence,” the firm reported. “The evidence suggests a larger regional espionage strategy aimed at diplomatic and government institutions amid rising geopolitical tensions.” The attack tactics involve spear-phishing emails that reference geopolitical disputes between Iran and Israel, containing malicious Microsoft Word attachments that prompt recipients to “Enable Content” to execute embedded Visual Basic for Applications code.

Android Security Update: Google Addresses 120 Vulnerabilities, Including Two Actively Exploited Zero-Days

Sep 03, 2025
Mobile Security / Vulnerability

Google has released security updates for September 2025, patching 120 vulnerabilities in its Android operating system. Among these are two critical issues that have been confirmed as actively exploited in targeted attacks. The key vulnerabilities are:

  • CVE-2025-38352 (CVSS score: 7.4): A privilege escalation flaw in the Linux Kernel component.
  • CVE-2025-48543 (CVSS score: 7.4): A privilege escalation flaw in the Android Runtime component.

Both vulnerabilities allow for local privilege escalation without requiring additional execution privileges or user interaction. While Google has not detailed how these vulnerabilities are being exploited in the wild or if they are being leveraged together, they acknowledge signs of “limited, targeted exploitation.” Benoît Sevens from Google’s Threat Analysis Group (TAG) is credited with discovering and reporting these critical flaws.