Cyberside Chats: Cybersecurity Insights from the Experts

The Saga Continues: More Dirt on the Salesforce–Drift Breach

Listen Later

When we first covered the Salesforce–Drift breach, we knew it was bad. Now it’s clear the impact is even bigger. Hundreds of organizations — including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, Rubrik, and even financial firms like Wealthsimple — have confirmed they were affected. The root cause? A compromised GitHub account that opened the door to Drift’s AWS environment and gave attackers access to Salesforce and other cloud integrations. 

In Part 2, Sherri Davidoff and Matt Durrin dig into the latest updates: what’s new in the investigation, why more victim disclosures are coming, and how the GitHub compromise ties into a wider trend of supply chain attacks like GhostAction. They also share practical advice for what to do if you’ve been impacted by Drift — or if you want to prepare for the next third-party SaaS compromise. 

Tips for SaaS Incident Response: 

  1. Treat this as an incident: don’t wait for vendor confirmation before acting. There may be delays in vendor disclosure, so act quickly. 
  2. Notify your cyber insurance provider: 
    • Provide notice as soon as possible. 
    • Insurers may share early IOCs, coordinate with vendors, and advocate for your org alongside other affected clients. 
    • They can also connect you with funded IR and legal resources. 
    • Engage external support: 
      • Bring in your IR firm to investigate and document. 
      • Work with legal counsel to determine if notification obligations are triggered. 
      • Revoke and rotate credentials: 
        • Cycle API keys, OAuth tokens, and active sessions. 
        • Rotate credentials for connected service accounts. 
        • Inventory your data: 
          • Identify what sensitive Salesforce (or other SaaS) data is stored. 
          • Check whether support tickets, logs, or credentials were included. 
          • Search for attacker activity: 
            • Review advisories for malicious IPs, user agents, and behaviors. 
            • Don’t rely solely on vendor-published IOCs — they may be incomplete. 

              •  

              References: 

              • Google Cloud Threat Intelligence Blog – Data theft in Salesforce instances via Salesloft Drift 
                • BleepingComputer – Salesloft March GitHub repo breach led to Salesforce data theft attacks 
                  • Dark Reading – Salesloft breached GitHub account compromise 
                    • BleepingComputer – Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack 
                      • LMG Security Blog – Third-Party Risk Management Lessons 

                        • #salesforcehack #salesforce #SalesforceDrift #cybersecurity #cyberattack #databreaches #datasecurity #infosec #informationsecurity

                        ...more
                        View all episodesView all episodes
                        Download on the App Store
                        Cyberside Chats: Cybersecurity Insights from the ExpertsBy Chatcyberside
                        • 5
                        • 5
                        • 5
                        • 5
                        • 5

                        5

                        2 ratings

                        More shows like Cyberside Chats: Cybersecurity Insights from the Experts

                        View all
                        No Agenda Show by Adam Curry & John C. Dvorak

                        No Agenda Show

                        5,951 Listeners

                        Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec by Jerry Bell and Andrew Kalat

                        Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

                        369 Listeners

                        The DSR Network by The DSR Network

                        The DSR Network

                        1,760 Listeners

                        Conspirituality by Derek Beres, Matthew Remski, Julian Walker

                        Conspirituality

                        2,037 Listeners

                        What Rough Beast by Virginia Heffernan and Stephen Metcalf

                        What Rough Beast

                        61 Listeners