Analysis

A widespread data theft campaign, attributed to threat actor UNC6395, is exploiting compromised OAuth tokens from Salesloft Drift integrations, creating a significant security event with a broadening attack radius. The breach is not contained to a single platform; Google's Threat Intelligence Group confirmed it impacts all Salesloft Drift integrations and led to unauthorized access of a small number of Google Workspace email accounts, though not a compromise of Google's core systems. The primary impact is on customer Salesforce instances, prompting Salesforce to temporarily disable all Salesloft integrations, a move that signals severe operational disruption for mutual clients. High-profile cybersecurity firms Zscaler and Palo Alto Networks, along with PagerDuty and others, have confirmed they are victims, with attackers exfiltrating sensitive business contact details, sales data, and content from support cases. The involvement of Zscaler (ZS) and Palo Alto Networks (PANW), both leaders in security, underscores the sophisticated nature of the threat and the systemic risk posed by chained third-party application permissions. The negative sentiment scores for CRM (-0.6), ZS (-0.7), and PANW (-0.6) reflect the market's concern over reputational damage and the potential costs of remediation.