The Salesloft Drift hack originated from a compromise of the company’s GitHub account in March.

Salesloft, with the assistance of Google’s cybersecurity subsidiary Mandiant, has investigated a security breach involving its Salesloft Drift platform, which also affected companies such as CloudFlare and Zscaler. In a security advisory update on 7 September, Salesloft outlined the objectives of the investigation, which included determining the root cause and scope of the incident, as well as assisting with containment and remediation efforts. Mandiant was engaged to assess the Salesloft environment to confirm whether it had been compromised and to verify the segmentation between the Drift and Salesloft environments.

Mandiant discovered that a threat actor accessed Salesloft’s GitHub account between March and June 2025. The hacker was able to download code and content from multiple repositories, establish their own workflows, and add a guest user. During this period, the threat actor conducted reconnaissance activities within both the Drift and Salesloft application environments. Subsequently, they gained access to Salesloft Drift’s AWS environment, obtaining OAuth tokens for numerous customer technology integrations, which were then used to access customer data. In response to the breach, Salesloft took its Drift platform offline and implemented isolation measures. 

Categories: Cybersecurity Incident, Investigation and Remediation, Data Breach 

Tags: Salesloft, Mandiant, Hackers, Compromise, Investigation, Incident, Containment, Remediation, Environment, Data