Salesloft says attackers first breached its GitHub account in March, leading to the theft of Drift OAuth tokens later used in widespread Salesforce data theft attacks in August.
Salesloft is a widely used sales engagement platform that helps companies manage outreach and customer communications. Its Drift platform is a conversational marketing tool that integrates chatbots and automation into sales pipelines, including integrations with platforms like Salesforce.
The two have been at the center of a major supply-chain style breach first disclosed in late August, with Google’s Threat Intelligence Group attributing the attacks to UNC6395.
However, BleepingComputer has learned that the ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks.
Breach started with GitHub
Salesloft first disclosed a security issue in the Drift application on August 21 and revealed more details about malicious exploitation of the OAuth tokens five days later.
This has led to widespread Salesforce data theft attacks on Salesloft customers, including Google, Zscaler, Cloudflare, Workiva, Tenable, JFrog, Bugcrowd, Proofpoint, Palo Alto Networks, and the list is still growing.
In the Salesloft data theft attacks, the threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets.
“Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens,” warned Salesloft in an August 26 update.
According to an investigation by Mandiant, which is aiding Salesloft in responding to its breach, the threat actors first gained access to its GitHub environment between March and June 2025.
The hackers downloaded code from multiple GitHub repositories, added guest user accounts, and created rogue workflows, setting the stage for the subsequent attack.
Mandiant confirmed that the attackers performed reconnaissance activities in Salesloft and Drift environments during the same period.
The activity escalated after the threat actors breached Drift’s AWS environment, allowing them to steal the OAuth tokens used to access customer data across technology integrations, including Salesforce and Google Workspace.
Salesloft states that it rotated credentials, hardened defenses, and verified segmentation from Drift, which had its infrastructure isolated and credentials also rotated.
With the help of Mandiant, the firm conducted threat hunting and found no additional indicators of compromise, meaning that the threat actor does not have a foothold on its environment anymore.
Mandiant has validated containment and segmentation, and engagement has now shifted to forensic quality assurance review.
A subsequent update published yesterday announced the restoration of the Salesloft integration with Salesforce, following the precautionary suspension triggered by the Drift security incident.
Salesforce users can now again access the full range of Salesloft integrations, and the company provided step-by-step guidance for those who need to perform data syncing.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link
