Salesloft Drift Data Breach: Investigation Uncovers Methods Used by Attackers for Enhanced SEO.

The recent data breach at Salesloft, confirmed by the company, originated from the compromise of its GitHub account. On August 26, Salesloft disclosed that a threat actor had exfiltrated data from customers’ Salesforce instances by exploiting stolen OAuth credentials linked to their Drift chatbot. The Google Threat Intelligence Group attributed the attack to a group known as UNC6395, which sought sensitive access credentials, including AWS access keys and passwords, potentially found in support tickets submitted by customers. Several organisations, such as Cloudflare, Zscaler, and Palo Alto Networks, have confirmed the data theft and have since analysed the compromised data, notifying affected customers where necessary.

Salesforce engaged Mandiant to investigate the breach involving the Drift platform and its integrations. The investigation revealed that from March to June 2025, the threat actor accessed the Salesloft GitHub account, allowing them to download content from multiple repositories and establish workflows. While limited reconnaissance was noted in the Salesloft application environment, the threat actor successfully accessed Drift’s AWS environment, obtaining OAuth tokens to access customers’ Salesforce instances. Salesloft has worked with Mandiant to eliminate the attackers’ presence and strengthen their systems. Mandiant confirmed the technical segmentation between Salesloft and Drift environments, indicating that the incident has been contained and the integration with Salesforce has been restored. 

Categories: Data Breach, Supply Chain Compromise, Cybersecurity Investigation 

Tags: Salesloft, Drift, Data Breach, GitHub, OAuth, Salesforce, Threat Actor, Mandiant, AWS, Compromise