The attack that resulted in the Salesloft Drift data breach started with the compromise of the company’s GitHub account, Salesloft confirmed this weekend.
Supply chain compromise
On August 26, the company publicly revealed that earlier that month, a threat actor exfiltrated data from their customers’ Salesforce instances by leveraging stolen OAuth credentials that enable the integration of their Drift (Salesloft) chatbot with said instances.
Google Threat Intelligence Group attributed the attack to an attack group they track as UNC6395.
They also said that the attackers were after sensitive access credentials – AWS access keys, passwords, Snowflake-related access tokens – that may be included in support tickets sent to those organizations by their customers.
A number of organizations, including Cloudflare, Zscaler, Palo Alto Networks, Elastic, Bugcrowd, and others, have since confirmed the data theft.
Most of the companies proceeded to analyze the potentially compromised data and, where they discovered customers secrets in support tickets, to notify affected customers. (Whether their reaction was quick enough to prevent the secrets’ misuse remains to be seen.)
What the investigators found
In the meantime, Salesforce engaged Mandiant to investigate the compromise of the Drift platform and its technology integrations.
“In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows,” Salesloft has now shared what they have discovered.
“The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.”
What they did find is that the threat actor managed to access Drift’s AWS environment, obtain OAuth tokens for Drift customers’ technology integrations, and used them to access the customers’ Salesforce instances.
Salesloft did not say how the attackers got into their GitHub account.
The company has worked with Mandiant to discover and eradicate the attackers’ presence from the Drift and Salesloft application environments, harden them, and to check for evidence of compromise across Salesloft infrastructure and technologies.
“Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments. Based on the Mandiant investigation, the findings support the incident has been contained,” the company said, and confirmed that they have restored the integration between the Salesloft platform and Salesforce.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
