Salesloft Drift Cyberattack: Connection to GitHub Breach and OAuth Token Theft Explained

ByAdmin

A sophisticated supply-chain attack has impacted over 700 organisations, including major cybersecurity firms, and has been traced back to a compromise of Salesloft’s GitHub account that began as early as March 2025. On September 6, 2025, Salesloft confirmed that an investigation by cybersecurity firm Mandiant revealed that threat actors exploited this initial access to steal OAuth authentication tokens from its Drift chat platform, resulting in widespread data theft from customer systems. The investigation, which commenced on August 28, uncovered that the attackers had access to Salesloft’s GitHub account from March through June 2025. During this timeframe, they downloaded content from private repositories, added a guest user, and established workflows while conducting reconnaissance on both the Salesloft and Drift application environments. Although the Salesloft platform itself was not breached, the attackers pivoted to Drift’s AWS environment, successfully obtaining OAuth tokens for customer technology integrations.

The threat actor, identified by Google’s Threat Intelligence Group as UNC6395, utilised these stolen tokens between August 8 and August 18 to access and exfiltrate data from customers’ integrated applications, particularly Salesforce instances. The stolen data primarily comprised business contact information, including names, email addresses, and job titles, as well as content from support cases. This breach affected a wide array of high-profile companies, such as Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and SpyCloud. The incident is regarded as one of the largest recent SaaS supply-chain attacks, underscoring the risks associated with third-party application integrations. In response, Salesloft engaged Mandiant and took decisive action to contain the threat, including taking the Drift platform offline, isolating its infrastructure, and rotating all impacted credentials. Mandiant has since confirmed that the incident is contained, and the technical segmentation between the Salesloft and Drift environments prevented lateral movement by the attackers. Salesloft has issued guidance to its partners, advising that all third-party applications integrated with Drift via API key should proactively revoke the existing key. The company also published a list of Indicators of Compromise (IOCs) to assist customers in identifying suspicious activity in their logs. 

Categories: Cybersecurity Incident, Supply Chain Attack, Data Breach 

Tags: Supply-Chain Attack, Salesloft, GitHub, OAuth Tokens, Drift, Cybersecurity, Data Theft, Mandiant, Third-Party Integrations, Indicators of Compromise 

Leave a Reply

Your email address will not be published. Required fields are marked *