North Korean Hackers Steal $285 Million from Drift in Months-Long Social Engineering Attack On April 1, 2026, decentralized exchange (DEX) Drift suffered a $285 million theft, the result of a six-month-long social engineering operation orchestrated by North Korea’s state-sponsored hacking group UNC4736 (also known as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces). The attack, which began in fall 2025, was meticulously planned, leveraging third-party intermediaries to build trust with Drift contributors before executing the breach. ### The Attack: A Structured Intelligence Operation UNC4736, active since at least 2018, has a history of targeting cryptocurrency platforms, including the 2023 X_TRADER/3CX supply chain breach and the $53 million Radiant Capital hack in October 2024. The Drift attack followed a similar playbook: 1. Initial Contact (Fall 2025) – Operatives posing as a quantitative trading firm approached Drift contributors at major crypto conferences worldwide, establishing rapport over months. 2. Onboarding & Trust-Building (Dec 2025–Mar 2026) – The group deposited over $1 million into Drift’s ecosystem, engaging in detailed technical discussions to appear legitimate. 3. Compromise (Early 2026) – Two likely infection vectors were identified: - A malicious VS Code repository shared under the guise of a vault frontend, exploiting the "tasks.json" file to execute code upon opening. - A weaponized wallet app distributed via Apple’s TestFlight, tricking a contributor into downloading it. By the time of the attack, Telegram chats and malware were deleted, obscuring the exact intrusion method. ### North Korea’s Cyber Operations: A Fragmented, Resilient Threat The Drift breach underscores North Korea’s evolving cyber strategy, which has shifted toward compartmentalized, mission-driven operations to evade attribution. According to DomainTools Investigations (DTI), the regime’s malware ecosystem is now divided into three key tracks: - Espionage (Kimsuky) – Focused on intelligence gathering. - Financial Theft (Lazarus Group) – Primary revenue source for sanctions evasion. - Disruptive Attacks (Andariel) – Ransomware and wiper malware for strategic signaling. This fragmented approach ensures that exposure in one operation does not compromise others, complicating defense efforts. ### Social Engineering & IT Worker Fraud: The Human Factor UNC4736’s success relied heavily on deception, including: - Contagious Interview – A long-running campaign where targets are tricked into executing malicious code from fake repositories (e.g., DEV#POPPER RAT, OmniStealer). - IT Worker Fraud – North Korean operatives infiltrate Western companies using stolen identities, AI-generated personas, and falsified credentials, often through third-party recruiters in China and Russia. Once hired, they siphon funds, deploy malware, and exfiltrate data. Recent investigations by Flare and IBM X-Force reveal the scheme’s global expansion, with Iranian, Syrian, Lebanese, and Saudi nationals now being recruited. Facilitators use LinkedIn to hire "callers" individuals trained to impersonate Western personas during interviews. The regime’s primary targets include U.S. defense contractors, crypto exchanges, and financial institutions, suggesting both financial and strategic motives. ### Cryptocurrency: The Lifeline for North Korea’s Regime Chainalysis reports that cryptocurrency remains central to North Korea’s revenue streams, with IT worker schemes funneling wages back to Pyongyang while bypassing sanctions. The Drift hack alone demonstrates the scale and sophistication of these operations, reinforcing North Korea’s position as a top-tier cyber threat.

Threat Actors Exploit Modified AuraInspector Tool to Harvest Data from Misconfigured Salesforce Sites On March 10, 2026, Salesforce’s Cybersecurity Operations Center (CSOC) warned of a campaign in which threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the AuraInspector tool. Originally developed by Google/Mandiant, AuraInspector is an open-source command-line utility designed to audit Salesforce Aura and Experience Cloud applications for data exposure risks by simulating unauthenticated or guest user access. Attackers have adapted the tool to exploit overly permissive guest user settings, enabling them to extract sensitive CRM data including Accounts, Contacts, and Leads via exposed Aura endpoints, record lists, or GraphQL controllers. While the original AuraInspector only identifies vulnerabilities, the modified version actively harvests data from misconfigured environments. Salesforce confirmed that the activity does not stem from a platform vulnerability but rather from customer misconfigurations, particularly in Experience Cloud guest user permissions. Exposed data could be leveraged for targeted social engineering or vishing attacks. The company attributes the campaign to a known threat actor group, potentially ShinyHunters, which has previously targeted Salesforce environments through third-party applications. Salesforce advises organizations to review and secure guest user settings, restrict public access, disable unnecessary APIs, and monitor logs to mitigate risks.

Telus Digital Confirms Major Data Breach After ShinyHunters Claims 1 Petabyte Theft Canadian business process outsourcing (BPO) provider Telus Digital has confirmed a security incident after the threat group ShinyHunters claimed to have stolen nearly 1 petabyte of data in a prolonged breach. Telus Digital, a subsidiary of telecom giant Telus, offers customer support, AI data services, content moderation, and other outsourced operations to global clients, making it a prime target for attackers seeking broad access to corporate and customer data. The breach was first reported in January, when BleepingComputer contacted Telus but received no response. On June 10, Telus acknowledged the incident, stating it had detected unauthorized access to a limited number of systems and had taken immediate steps to secure them. The company confirmed that business operations remain unaffected, with no disruption to customer connectivity or services. Telus has engaged cybersecurity forensics experts and is collaborating with law enforcement while notifying impacted customers as the investigation progresses. ShinyHunters, a prolific extortion group, claims the breach began after obtaining Google Cloud Platform credentials from data stolen in the 2023 Salesloft Drift breach. That incident involved the theft of Salesforce data from 760 companies, including support tickets containing credentials later exploited to infiltrate additional platforms. Using these credentials, ShinyHunters accessed Telus systems, including a BigQuery instance, and used tools like TruffleHog to extract further credentials, enabling deeper access. The stolen data allegedly includes: - BPO-related records (customer support logs, agent performance metrics, AI tools, fraud detection systems, and content moderation data) - Source code, FBI background checks, financial information, and Salesforce data - Voice recordings of support calls for multiple companies - Telus consumer telecom data, including call records (timestamps, durations, phone numbers, and metadata) ShinyHunters shared a list of 28 well-known companies allegedly impacted, though these claims remain unverified. The group attempted to extort Telus in February, demanding $65 million to prevent data leaks, but the company did not engage. ShinyHunters has been linked to numerous high-profile breaches, including Google, Cisco, PornHub, and Match Group, often targeting Salesforce and cloud SaaS environments. The group has also conducted voice phishing (vishing) attacks, tricking employees into revealing credentials and MFA codes to hijack SSO accounts for platforms like Microsoft 365, Google Workspace, and Slack. Recent tactics include device code vishing to obtain Microsoft Entra authentication tokens.

The Salesloft breach originated from a compromise where threat actors stole Salesforce Drift tokens, enabling unauthorized access to Salesforce and Cloudflare systems, along with other connected enterprises. This supply chain attack cascaded across multiple organizations, exposing sensitive data and raising concerns about third-party risk management. The breach exploited vendor vulnerabilities, highlighting gaps in MSSP threat preparedness and external threat visibility. While the exact data compromised was not detailed, the incident involved large-scale credential theft and unauthorized system access, potentially affecting customer and operational data across dependent enterprises. The attack underscored the risks of shadow integrations and unpatched third-party exposures, emphasizing the need for real-time monitoring and autonomous risk assessment in supply chains.

The Salesloft-Drift OAuth incident involved attackers stealing OAuth tokens from Salesloft’s development platform, exploiting them to access customer data across integrated applications like Salesforce and Google Workspace. The breach, executed by the threat group UNC6395, leveraged voice phishing (vishing) to trick administrators into authorizing malicious apps, bypassing multi-factor authentication (MFA). Over 700 organizations were impacted as the compromised tokens enabled attackers to exfiltrate sensitive customer information, leading to widespread revocation of Drift integrations. The incident exposed systemic risks in SaaS supply chains, where trusted third-party integrations became attack vectors, enabling potential data theft, cloud credential abuse, outages, or ransomware. Beyond immediate data exposure, the breach triggered forensic investigations, regulatory fines, lawsuits, reputational damage, and operational disruptions, highlighting the cascading risks of N-th degree vendor dependencies in modern cybersecurity ecosystems.

Salesloft’s Drift platform—a widely used AI-powered chatbot and marketing SaaS tool—was compromised in a large-scale supply chain attack by the threat cluster UNC6395 (GRUB1). Attackers exploited stolen OAuth and refresh tokens tied to Drift to breach over 700 organizations, primarily by infiltrating their Salesforce instances and potentially other integrated platforms. The breach enabled mass theft of authentication tokens, exposing customer credentials and sensitive data for future targeted attacks. Salesloft responded by temporarily taking Drift offline to mitigate risks, while Salesforce preemptively disabled all Salesloft integrations. Companies like Cloudflare confirmed the incident was part of a coordinated campaign to harvest credentials for follow-on attacks. The initial access vector remains undisclosed, but the scale suggests systemic vulnerabilities in Drift’s security architecture, risking long-term reputational damage, financial fraud, and operational disruptions across affected enterprises.

The Salesloft Drift breach expanded beyond initial estimates, revealing that attackers exploited stolen OAuth tokens not only to access Salesforce customer instances (including sensitive tables like Cases, Accounts, Users, and Opportunities) but also to compromise a small number of Google Workspace email accounts via the Drift Email integration. The threat actors, tracked as UNC6395, scanned support tickets and messages for AWS access keys, Snowflake tokens, and passwords, likely for future extortion or lateral movement into other cloud environments. Google confirmed the breach was broader than first disclosed, affecting third-party integrations beyond Salesforce. While no Google Workspace or Alphabet systems were directly compromised, the stolen tokens were revoked, and the Drift-Google Workspace integration was disabled pending investigation. Salesloft, with assistance from Mandiant and Coalition, disabled Drift integrations with Salesforce, Slack, and Pardot as a precaution. Customers were advised to rotate all authentication tokens linked to Drift and audit connected systems for unauthorized access. The incident highlights risks in OAuth-based supply chain attacks, where compromised third-party credentials enable deep access to enterprise systems, exposing customer data, internal communications, and cloud credentials to potential misuse in follow-on attacks.

OneDigital Data Breach Exposes Client Personal Information via Compromised Drift Application Between August 12 and August 18, 2025, a data breach at OneDigital Investment Advisors exposed sensitive client information after threat actors compromised the Drift application a tool managed by Salesloft and integrated with Salesforce, OneDigital’s customer relationship management (CRM) platform. The breach was discovered on August 22, 2025, when Salesforce notified OneDigital of the security incident. An investigation revealed that unauthorized parties accessed and copied data, including client names and Social Security numbers. While the breach stemmed from a third-party vulnerability, OneDigital confirmed its internal networks remained unaffected. Notifications to impacted individuals began on April 8, 2026, as OneDigital filed disclosures with regulatory authorities, including the Maine Attorney General’s Office. The incident has since drawn legal scrutiny, with attorneys exploring potential class action lawsuits on behalf of affected clients to seek compensation for privacy violations, financial losses, and other damages. OneDigital, which provides insurance, financial services, and HR consulting, has not disclosed the total number of individuals affected. The breach underscores the risks of third-party integrations in enterprise software ecosystems.

The Great SaaS Breach of 2025: How a Single OAuth Token Compromised 700+ Organizations A new report from Grip Security reveals alarming trends in SaaS security, analyzing 23,000 SaaS environments and uncovering critical vulnerabilities. Every company examined operates AI-embedded SaaS applications, with a 490% year-over-year surge in public SaaS attacks. 80% of incidents involve PII or customer data, but the most concerning finding is the average organization’s exposure to 140 AI-enabled SaaS environments each a potential vector for cascading breaches. The Salesloft Drift incident, dubbed the "Great SaaS Breach of 2025," exemplifies this risk. UNC6395 attackers compromised Salesloft’s GitHub repositories, then pivoted to Drift’s AWS environment, stealing OAuth and refresh tokens used by customers to connect the Drift Chatbot to Salesforce, Slack, and other apps. With a legitimate OAuth token, the attackers impersonated Drift, breaching Salesforce installations across 700+ organizations, including Cloudflare, Palo Alto Networks, Zscaler, and CyberArk. The attack exploited shadow AI AI embedded in SaaS apps without formal oversight where businesses unknowingly adopt agentic AI for efficiency, often without auditing security implications. OAuth tokens, treated as routine access credentials, became the weak link. Once stolen (often via infostealers), they granted attackers unhindered access, enabling them to cascade through connected systems via IdentityMesh a unified authentication flaw that links multiple AI environments. The report warns that 2026 could see even larger breaches, as autonomous workflows outpace security controls. While regulations are emerging, they remain fragmented, conflicting, and unevenly enforced. The solution, according to Grip, lies in dynamic governance: replacing static approvals with continuous oversight, discovery, and risk-based controls to treat AI as a managed third-party risk. The incident underscores that AI is not a future threat but a present one, reshaping business risk and without proactive measures, the blast radius of a single breach will only grow.