Hackers have used a chatbot developed by Salesloft Inc. to access a large number of Salesforce environments and download their contents.

Salesloft and Google LLC disclosed the breach last Thursday. The search giant determined that the threat actor behind the hacking campaign, which is tracked as UNC6395, downloaded “large volumes of data from numerous corporate Salesforce instances.”

Atlanta-based Salesloft provides a popular cloud platform that companies use to manage their sales efforts. The software stores data about deal opportunities, tracks the performance of customer acquisition initiatives and performs related tasks. Salesloft disclosed in April that its user base includes more than 5,000 companies.

The breach affected a component of the platform called Drift. It’s a chatbot that can field questions from potential customers who visit a company’s website, as well as estimate the likelihood that they will make a purchase. Drift includes a connector that syncs information provided by prospects to a company’s Salesforce environment.

The chatbot uses a technology called OAuth to establish connections to Salesforce. It allows applications to verify that they’re not malicious before exchanging data. According to Salesloft, the hackers gained access to its OAuth credentials and used them to access customers’ Salesforce environments. Customers who don’t use the company’s Drift chatbot were not affected.

After gaining access to organizations’ Salesforce environments, the hackers used requests written in the cloud giant’s SOQL query language to extract sensitive data. “The actor searched through the data to look for secrets that could be potentially used to compromise victim environments,” researchers from Google’s GTIG cybersecurity team and Mandiant business wrote in a blog post Tuesday. “GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.”

The hackers attempted to hide their tracks in various ways. According to Google, they used IP addresses associated with popular cloud platforms to process malicious network requests and camouflaged the traffic using Tor. The hackers also deleted files that contained information about the queries they ran in customer environments.

“UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure,” the Google researchers wrote.

Salesloft estimates that the hacking campaign ran from Aug. 8 until “at least” last Monday. Last Wednesday, the company shut down the vulnerable OAuth connections that linked Drift to customers’ Salesforce environments. It has also released multiple indicators of compromise, data points about the hacking campaign that companies can use to determine if they were affected.

“Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation,” Google’s researchers wrote. 

Image: Salesloft