Salesloft said it has restored the integration between its Drift platform and Salesforce after an investigation by Mandiant linked an August supply chain attack to the compromise of Salesloft’s GitHub account, according to an update on its website on Sunday.
A threat group tracked as UNC6395 abused Salesloft Drift to launch a credential harvesting campaign in August, targeting hundreds of Salesforce instances using compromised OAuth tokens.
The Mandiant investigation showed the attacker gained access to the Salesloft GitHub account between March and June 2025, according to a Saturday update by Salesloft. After gaining access, the attacker downloaded content from multiple repositories and was able to establish workflows, according to the Salesloft post.
Between March and June, hackers conducted reconnaissance activities in the Salesloft and Drift application environments.
“The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customer’s technology integrations,” Salesloft said in the post.
Researchers warned last month that the credential harvesting attack on Salesloft was likely a precursor to additional attacks in the future.
Several major security companies last week confirmed they were impacted by the supply chain attack as downstream customers. Palo Alto Networks, Zscaler, Proofpoint and Cloudflare all confirmed their Salesforce instances had been compromised by the campaign.
Source link
