HackerOne Confirms Breach in Ongoing Salesforce Supply Chain Attack

The bug bounty and vulnerability coordination platform HackerOne has confirmed it was also breached in a widespread cyberattack campaign targeting customers of Salesforce. The company, known for its "Default to Disclosure" policy, issued a public statement acknowledging that a subset of records in its Salesforce instance was accessed by an unauthorized party.

The breach did not occur through a direct attack on HackerOne's systems but rather through a compromised third-party application called Drift, owned by Salesloft.

According to a company blog post, HackerOne's security team was alerted to a potential compromise by Salesforce on August 22, with confirmation from Salesloft the following day. The attackers exploited a vulnerability in the Drift application's OAuth tokens to gain unauthorized access to connected Salesforce environments.

"HackerOne's investigation is ongoing, but we can confirm that a subset of records in our Salesforce instance was accessed via a compromise of the Drift application," the company stated.

Growing list of victims

This incident is part of a broader, sophisticated campaign that has affected hundreds of companies across various sectors. Multiple other cybersecurity firms, including Cloudflare, Proofpoint, SpyCloud, Tanium, and Tenable, have also publicly confirmed that they were victims of the same attack vector.

The threat actor, tracked by Google's Mandiant as UNC6395, is reportedly targeting organizations to harvest credentials, access keys, and other sensitive business data.

The attacks rely on a supply chain model, where a weakness in a single, widely-used third-party application provides a gateway to a large number of connected customers. Security researchers have noted that the breaches do not stem from a vulnerability in the core Salesforce platform itself, but rather from the exploitation of third-party app integrations and social engineering tactics like "vishing" (voice phishing).

HackerOne emphasized that its core business was not impacted, and it has "no reason to suspect that the incident impacted or exposed any customer vulnerability data."

The company is currently conducting a forensic analysis to determine the exact nature of the records that were accessed and has committed to directly notifying any customers who are identified as being affected.