Like many companies, we received notification from Salesforce in late August about unusual activity involving the Drift app, published by Salesloft. 

This widely-reported supply-chain incident resulted from a security breach at Drift’s parent company, Salesloft.  No Algolia services or infrastructure were compromised. 

We’re sharing our experience responding to this incident to help other organizations, including our competitors, improve the maturity of their own incident response procedures. 

Prepared for action

Our incident readiness investments are a primary reason why our security team was able to immediately investigate and confirm that no customer data was impacted. Although it’s critical to have a documented response plan, alone that’s not enough. 

We’ve also spent the past several years building the technical and cultural ability to make the right  business decisions quickly. These investments include data classification tools, SaaS Security Posture Management, data loss prevention tooling, and other tools. 

In the case of this incident, our previous investments enabled us to confidently take the following steps: 

1. Invalidated all active Drift and Salesloft tokens.

2. Removed Drift from the company website,  severed all connections with the app, and terminated our contract with Salesloft.

3. Examined all third-party connections to our Salesforce environment.

4. Conducted a thorough investigation beginning with the indicators of compromise (IOCs) provided by the Mandiant/Google Threat Intelligence Group. We did not observe any unique IOCs outside those publicly provided. 

Investigation findings

Over the past year, we continued upgrading our logging pipeline and Security Information and Event Management tooling, and other routine information security program improvements.  As a result we were able to conduct a thorough forensics investigation of our own beyond what Salesloft reported. 

We found that the data accessed by those who attacked Salesloft was limited to our Salesforce CRM and Algolia’s business records, including commonly available business contact information, account and conversation data, summary fields and basic case information prepared by Algolia team members. 

We also know that data we process on behalf of our customers was not affected, including API keys, credentials, session recordings, passwords and secrets, and documents and files. 

Third-Party risk readiness

This incident underscores the importance of every company to be prepared for similar supply chain incidents. Our security teams were able to respond as quickly and as thoroughly as they did, because we were proactive and prepared. 

For more information about the root cause of the Salesloft breach, please review the report from Mandiant/Google Threat Intelligence Group.