A major security breach at Salesloft, traced to a compromised GitHub account, led to a widespread Drift application attack affecting top tech firms.
Quick Summary – TLDR:
- Salesloft’s GitHub account was compromised between March and June 2025, giving hackers access to sensitive repositories.
- Attackers infiltrated Drift’s AWS environment and stole OAuth tokens used in third-party integrations.
- Over 22 companies confirmed impact, with victims including Google, Cloudflare, Palo Alto Networks, and others.
- Salesforce has restored Salesloft integration, excluding Drift, which remains offline as a security precaution.
What Happened?
Salesloft has confirmed that a compromised GitHub account was the entry point for a significant breach of its Drift application, a supply chain attack now impacting at least 22 companies. The threat group UNC6395, according to Mandiant investigators, exploited this access from March through June 2025 to extract sensitive data and launch further attacks using stolen credentials.
How the Breach Unfolded?
The investigation, led by Google-owned Mandiant, revealed that attackers gained unauthorized access to Salesloft’s GitHub repositories over a three-month span. During this time, they:
- Downloaded content from multiple repositories
- Added a guest user
- Established internal workflows
From there, the threat actors accessed Drift’s AWS infrastructure, where they harvested OAuth tokens tied to technology integrations. These tokens were then used to gain access to several Salesforce instances, enabling the attackers to collect data from customer environments across various organizations.
Salesloft clarified that while the hackers conducted reconnaissance activities in both Salesloft and Drift environments, there is no evidence of deeper activity beyond that scope within the core Salesloft infrastructure.
Fallout and Affected Companies
The scope of the attack was broad. While 22 companies have formally confirmed being impacted, researchers and vendors believe the true number is higher. Victims of the breach include major tech and cybersecurity firms such as:
- Cloudflare
- Palo Alto Networks
- Zscaler
- Proofpoint
- BeyondTrust
- JFrog
- Bugcrowd
- Elastic
- CyberArk
- Nutanix
- PagerDuty
- Rubrik
- SpyCloud
- Tanium
- Cato Networks
Salesloft Drift Breach Tracker: Companies affected by the widespread Salesloft Drift OAuth token compromise that targeted Salesforce customer instances
— Dark Web Informer (@DarkWebInformer) September 8, 2025
Link: https://t.co/co1rPcjhqB pic.twitter.com/tk6n7pc23v
Cloudflare described the event as affecting “hundreds” of companies, classifying it as a large-scale credential harvesting campaign. While UNC6395 is the primary actor tracked in the breach, Cloudflare also referenced a group it calls GRUB1, which appears to align with UNC6395’s behavior. ShinyHunters, another known group, may also be linked.
Containment and Recovery Efforts
As a critical step, Salesloft took the Drift application offline on September 5, 2025, and implemented several layers of remediation:
- Isolated Drift infrastructure and code
- Rotated all relevant credentials
- Improved segmentation between Salesloft and Drift environments
Mandiant verified these containment efforts, affirming that the incident appears to be under control.
Salesforce, which temporarily suspended its integration with Salesloft as a precaution, has since restored the connection as of September 7, 2025, excluding Drift which will remain disabled pending further review.
Salesloft is urging all customers who use Drift API integrations to revoke and regenerate their API keys to mitigate further risks.
SQ Magazine’s Takeaway
I’ve got to say, this is another classic example of how a single compromised credential can snowball into a massive supply chain catastrophe. GitHub access should never be taken lightly, especially when it’s linked to applications like Drift that touch customer data through integrations. What gets me is how long these attackers lurked, from March to June, before launching their attack in August. This wasn’t just a smash-and-grab. It was calculated, quiet, and painfully effective. If you’re a developer or security engineer reading this, check your GitHub account controls today. Seriously.
