A sophisticated supply-chain attack that impacted over 700 organizations, including major cybersecurity firms, has been traced back to a compromise of Salesloft’s GitHub account that began as early as March 2025.
In an update on September 6, 2025, Salesloft confirmed that an investigation by cybersecurity firm Mandiant found that threat actors leveraged this initial access to eventually steal OAuth authentication tokens from its Drift chat platform, leading to widespread data theft from customer systems.
The investigation, which began on August 28, revealed that threat actors had access to Salesloft’s GitHub account from March through June 2025.
During this period, the attackers downloaded content from private repositories, added a guest user, and established workflows while conducting reconnaissance on both the Salesloft and Drift application environments.
While the Salesloft platform itself was not breached, the attackers pivoted to Drift’s AWS environment, where they successfully obtained OAuth tokens for customer technology integrations.
Salesloft Drift Cyberattack
The threat actor, identified by Google’s Threat Intelligence Group as UNC6395, used these stolen tokens between August 8 and August 18 to access and exfiltrate data from customers’ integrated applications, most notably Salesforce instances.
The stolen data primarily included business contact information, such as names, email addresses, and job titles, as well as content from support cases.
The breach affected a wide array of high-profile companies, including Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and SpyCloud.
The incident is considered one of the largest recent SaaS supply-chain attacks, highlighting the risks associated with third-party application integrations.
In response to the attack, Salesloft engaged Mandiant and took decisive action to contain the threat. The company took the Drift platform completely offline, isolated its infrastructure, and rotated all impacted credentials.
Mandiant has since verified that the incident is contained and that the technical segmentation between the Salesloft and Drift environments prevented the attackers from moving laterally.
The focus of the investigation has now shifted to a forensic quality assurance review. Salesloft has issued guidance to its partners, recommending that all third-party applications integrated with Drift via API key proactively revoke the existing key.
The company also published a list of Indicators of Compromise (IOCs), including malicious IP addresses and user-agent strings, to help customers search their own logs for suspicious activity.
| Indicator Type | Value/Description |
|---|---|
| Malicious IP Addresses | Any successfully authenticated Drift connections from IPs not on Drift’s official whitelist should be considered suspicious. The following IPs are confirmed as malicious [user-provided text]: – 154.41.95.2 – 176.65.149.100 – 179.43.159.198 – 185.130.47.58 – 185.207.107.130 – 185.220.101.133 – 185.220.101.143 – 185.220.101.164 – 185.220.101.167 – 185.220.101.169 – 185.220.101.180 – 185.220.101.185 – 185.220.101.33 – 192.42.116.179 – 192.42.116.20 – 194.15.36.117 – 195.47.238.178 – 195.47.238.83 – 208.68.36.90 – 44.215.108.109 |
| Malicious User-Agent Strings | The following user-agent strings have been associated with the threat actor’s activity [user-provided text]: – python-requests/2.32.4– Salesforce-Multi-Org-Fetcher/1.0– Python/3.11 aiohttp/3.12.15 |
While a group called “Scattered LAPSUS$ Hunters 4.0” claimed responsibility, investigators have not found credible evidence to support this claim.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
