CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Supply Chain Attack on Drift via OAuth Token Theft

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product owned by Salesloft, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data, with evidence now confirming over 700 organizations were impacted. The attack demonstrated that OAuth grants can be weaponized even when the app and token were initially legitimate, underscoring the risks of third-party integrations and the need for robust, continuous monitoring of OAuth behavior. The incident revealed that the attacker bypassed MFA entirely by presenting a legitimate OAuth token already granted to Drift, accessing Salesforce data without logging in. This approach allowed UNC6395 to systematically export data and search for credentials such as AWS access keys, Snowflake tokens, and passwords across affected organizations. The full scope of the breach is still being assessed, but the attack structure serves as a warning: trusting an app at installation does not guarantee its ongoing trustworthiness, and OAuth grants require active, continuous monitoring rather than passive acceptance. Security teams are now urged to adopt tools that provide visibility into OAuth-connected applications, monitor their behavior over time, and enable rapid response to mitigate risks.

Timeline

  1. 08.09.2025 13:02 2 articles · 8mo ago

    Salesloft Takes Drift Offline Due to OAuth Token Theft

    On September 5, 2025, Salesloft took Drift offline to address a security incident involving the theft of OAuth tokens. The attack affected multiple companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data, with confirmed access to over 700 organizations. The incident demonstrated that OAuth grants can be weaponized even when the app and token were initially legitimate, as the attacker bypassed MFA entirely by presenting a legitimate OAuth token already granted to Drift. This highlighted the critical need for continuous behavioral monitoring of OAuth-connected applications and robust security measures in enterprise defenses.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Compromise of Third-Party AI Tool via Infostealer Leads to Vercel Breach and OAuth Token Theft Chain

Vercel remains under assessment following a sophisticated attack chain that began with the compromise of third-party AI tool vendor Context.ai via an infostealer. The breach was enabled by an OAuth token tied to a Vercel employee’s Google Workspace account, granting access to non-sensitive environment variables and internal systems. Context.ai acknowledged the theft of OAuth tokens, including those used in consumer-facing integrations. Vercel, collaborating with Mandiant, has notified affected customers and issued advisories emphasizing MFA enforcement, credential rotation, and review of non-sensitive environment variables. A threat actor allegedly linked to ShinyHunters attempted to extort Vercel for $2 million. The incident highlights systemic risks from shadow AI integrations and OAuth sprawl. Context.ai’s breach originated from an infostealer infection on an employee’s system after searching for gaming cheats, leading to the theft of OAuth tokens. The compromised Vercel employee account had broad permissions, including access to internal dashboards, API keys, and GitHub tokens. Broader industry trends show attackers increasingly exploiting OAuth connections at scale, with campaigns like Scattered Lapsus$ Hunters targeting major enterprises via OAuth-driven supply chain attacks and phishing. Security experts recommend default-deny policies for OAuth integrations and routine audits to mitigate these risks.

Open in new tab

Rockstar Games analytics data exfiltrated via third-party Snowflake compromise linked to Anodot breach

The extortion group ShinyHunters has expanded its campaign tied to the Anodot breach, claiming unauthorized access to Vimeo’s systems and threatening to leak data unless a ransom is paid. The attack leverages authentication tokens stolen from Anodot to compromise downstream victims, including Vimeo and Rockstar Games. Vimeo confirmed that exposed data included email addresses, technical data, video titles, and metadata, but excluded video content, credentials, and payment information. Operations remained unaffected, and Vimeo disabled Anodot integration and launched an investigation with law enforcement. Rockstar Games previously acknowledged a limited breach linked to the same third-party incident, with ShinyHunters leaking approximately 78.6 million records of internal analytics data. The compromised datasets included in-game revenue metrics, player behavior tracking, and Zendesk support analytics, with Rockstar asserting no operational impact.

Open in new tab

Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS

Since mid-February 2026, a large-scale device code phishing campaign has targeted Microsoft 365 across at least 340 organizations in over 10 countries, escalating 37.5x in early April. The campaign abuses OAuth device authorization flows via the EvilTokens PhaaS platform and at least 10 additional phishing kits (VENOM, DOCUPOLL, SHAREFILE, etc.), granting persistent access tokens even after password resets. Attacks incorporate anti-bot evasion, multi-hop redirect chains via vendor services, and SaaS-themed lures, while mitigation focuses on disabling device code flows and monitoring anomalous authentications. Credential exposures like the Figure breach (967,200 email records) enable follow-on campaigns—credential stuffing, AI-generated phishing, and help desk social engineering—that bypass legacy MFA through real-time phishing relays and social engineering. Legacy MFA and even FIDO2 passkeys are structurally unable to prevent these attacks, which rely on human judgment at critical control points. Phishing-resistant authentication requires cryptographic origin binding, hardware-bound keys, and live biometric verification to close relay and delegation vectors.

Open in new tab

ManoMano Data Breach Affects 38 Million Customers via Third-Party Service Provider

ManoMano, a European DIY e-commerce platform, disclosed a data breach impacting 38 million customers. The breach occurred in January 2026 due to unauthorized access to a third-party customer service provider. Exposed data includes full names, email addresses, phone numbers, and customer service communications. The stolen data includes information associated with 37.8 million ManoMano user accounts, over 900,000 service tickets, and over 13,000 attachments, pertaining to users across France, Germany, Italy, Spain, and the United Kingdom. No account passwords were compromised. The company has taken steps to secure its environment and notified relevant authorities and affected customers. The breach was claimed by an individual using the alias 'Indra' on a hacker forum, alleging the theft of 37.8 million user accounts and thousands of support tickets. The compromised service provider is reportedly a Tunis-based customer support firm that suffered a Zendesk breach.

Open in new tab

Hackers Exploit Misconfigured Security Testing Apps to Breach Cloud Environments

Threat actors are exploiting misconfigured security testing applications, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors. These applications, intended to be intentionally vulnerable for training and testing, pose a significant risk when exposed on the public internet and executed from privileged cloud accounts. Pentera researchers discovered 1,926 live, vulnerable applications linked to overly privileged IAM roles, deployed on AWS, GCP, and Azure. Many instances used default credentials and exposed cloud credential sets, allowing attackers to deploy crypto miners, webshells, and gain admin access to cloud environments. Active exploitation was confirmed, with evidence of crypto mining using XMRig, deployment of webshells, and advanced persistence mechanisms. Security vendors such as F5, Cloudflare, and Palo Alto Networks were among those affected. Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP. Approximately 20% of instances were found to contain artifacts deployed by malicious actors, including crypto-mining activity, webshells, and persistence mechanisms.

Open in new tab