Salesloft & Drift Breach: How Attackers Infiltrated Systems
▼ Summary
– The Salesloft Drift data breach began with the compromise of the company’s GitHub account, which allowed attackers to access and download content from repositories.
– Attackers exfiltrated data from customers’ Salesforce instances using stolen OAuth credentials that integrated the Drift chatbot with those instances.
– Google Threat Intelligence Group attributed the attack to UNC6395, noting the attackers targeted sensitive credentials like AWS keys and Snowflake tokens in support tickets.
– Multiple organizations, including Cloudflare and Zscaler, confirmed data theft and notified affected customers after discovering exposed secrets in support tickets.
– Mandiant’s investigation found the threat actor accessed Drift’s AWS environment and obtained OAuth tokens, but confirmed the incident has been contained and the integration with Salesforce restored.
A significant cybersecurity incident involving Salesloft and its Drift platform began with unauthorized access to the company’s GitHub account, as confirmed over the weekend. This breach highlights the growing risks associated with supply chain compromise, where attackers exploit interconnected services to infiltrate multiple organizations. The incident underscores the critical need for robust access controls and continuous monitoring of third-party integrations.
On August 26, Salesloft disclosed that earlier in the month, a threat actor had exfiltrated data from customers’ Salesforce instances. The attackers used stolen OAuth credentials linked to the Drift chatbot integration. According to the Google Threat Intelligence Group, the operation was carried out by a group they identify as UNC6395. Their primary objective appeared to be obtaining sensitive credentials, including AWS access keys, passwords, and Snowflake-related tokens, often found within customer support tickets.
Several high-profile organizations, such as Cloudflare, Zscaler, Palo Alto Networks, Elastic, and Bugcrowd, have since acknowledged being affected by the data theft. These companies initiated internal reviews to assess the scope of the compromise and began notifying customers whose secrets may have been exposed. The effectiveness of these responses in preventing misuse of the stolen data is still under evaluation.
Salesforce brought in Mandiant to conduct a thorough investigation into the Drift platform compromise. Findings revealed that between March and June 2025, the threat actor gained access to Salesloft’s GitHub account. From there, they downloaded content from multiple repositories, added a guest user, and established malicious workflows. While reconnaissance activities were detected in both Salesloft and Drift environments during that period, no evidence suggested further intrusion beyond limited reconnaissance in the Salesloft application environment.
However, the attackers successfully penetrated Drift’s AWS environment, obtained OAuth tokens for customer integrations, and used those tokens to access Salesforce instances. Salesloft has not disclosed the specific method used to compromise their GitHub account.
In response, the company collaborated with Mandiant to identify and remove the threat actor’s presence, strengthen security measures, and scan for additional signs of compromise across their infrastructure. Mandiant confirmed the technical segmentation between Salesloft and Drift environments and verified that the incident has been contained. Salesloft has since restored integration between its platform and Salesforce.
(Source: HelpNet Security)
