GitHub Account Compromise Results in Salesloft Drift Data Breach Impacting 22 Companies

Salesloft has disclosed that a data breach associated with its Drift application originated from the compromise of its GitHub account. Google-owned Mandiant, which initiated an investigation into the incident, reported that the threat actor, identified as UNC6395, accessed the Salesloft GitHub account from March to June 2025. To date, 22 companies have confirmed they were affected by this supply chain breach. With this access, the threat actor was able to download content from multiple repositories, add a guest user, and establish workflows. The investigation also revealed reconnaissance activities occurring within the Salesloft and Drift application environments during the same period, although there is no evidence of any activity beyond limited reconnaissance.

In a subsequent phase, the attackers gained access to Drift’s Amazon Web Services (AWS) environment and obtained OAuth tokens for Drift customers’ technology integrations. These stolen OAuth tokens were then used to access data via Drift integrations. In response, Salesloft isolated the Drift infrastructure, application, and code, taking the application offline as of September 5, 2025. The company also rotated credentials in the Salesloft environment and enhanced security measures with improved segmentation controls between Salesloft and Drift applications. Salesloft recommended that all third-party applications integrated with Drift via API key proactively revoke their existing keys. As of September 7, 2025, Salesforce restored the integration with the Salesloft platform, having temporarily suspended it on August 28, while keeping the Drift app disabled until further notice. 

Categories: Data Breach, Cybersecurity Incident, Supply Chain Attack 

Tags: Salesloft, Data Breach, Drift, GitHub, Mandiant, UNC6395, OAuth Tokens, Amazon Web Services, Supply Chain, Security Incident