SolarWinds has issued a security advisory regarding a major Salesforce data breach that exposed sensitive information from numerous companies worldwide. While SolarWinds itself was not directly impacted, the company is urging vigilance as the attack.
According to the advisory, “SolarWinds has been made aware of a recent data breach involving Salesforce, which resulted in the unauthorized access and theft of sensitive customer data. The breach was primarily caused by compromised OAuth tokens associated with the Salesloft Drift integration.”
This vulnerability allowed attackers to export vast amounts of data from multiple Salesforce customer instances, with the primary goal of stealing sensitive credentials. “The attackers’ primary objective appears to have been the collection of sensitive credentials, including access keys and passwords.”
SolarWinds clarified that its own systems were unaffected: “While SolarWinds does utilize Salesforce, our internal investigation has confirmed that we do not use the Salesloft Drift integration. As such, SolarWinds is not impacted by this breach”
However, other major organizations were not so fortunate. The stolen tokens were leveraged in large-scale data theft campaigns affecting industry giants such as Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks.
Google Threat Intelligence (Mandiant) shed light on the attackers’ methods: “After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments.”
They observed that the group — tracked as UNC6395 — specifically targeted AWS access keys, Snowflake tokens, and user passwords.
The scale of the attack prompted federal authorities to step in. The FBI recently released an advisory warning about the UNC6040 and UNC6395 threat actors, sharing IOCs discovered during the attacks.
Although SolarWinds itself is not compromised, the company emphasized that it is taking the matter seriously: “Given the critical nature of this incident, we are treating it as a high-priority concern. We have reviewed our security protocols and have confirmed the integrity of our systems and data. We are continuously monitoring the situation.”
- Salesforce Breach Through Salesloft Drift Hits Google, Cloudflare, and 750 Firms
- Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
- Cloudflare Confirms Supply Chain Attack, Customer Support Data Exposed
- SolarWinds Patches Multiple Critical Vulnerabilities in Access Rights Manager
