Salesloft has confirmed that a compromise of its GitHub repositories was the entry point for the cyberattack that led to the Drift application breach, a supply chain incident now affecting at least 22 organizations.
According to Mandiant, the Google-owned threat intelligence and incident response unit overseeing the probe, the intrusion was carried out by a group identified as UNC6395.
The attackers quietly maintained access to Salesloft’s GitHub account for several months, between March and June 2025, enabling them to copy source code, create guest accounts, and tamper with workflows.
Related: Cloudflare Confirms Data Breach in Salesloft Drift Attack
From Reconnaissance to Token Theft
Investigators determined that the threat actors initially focused on reconnaissance inside both Salesloft’s core environment and Drift’s application layer. While early activity appeared limited, the campaign later expanded when the group infiltrated Drift’s AWS infrastructure.
There, the attackers obtained OAuth tokens linked to customer integrations, which were then abused to pull data through Drift-connected APIs. This maneuver turned what began as a targeted intrusion into a classic supply chain breach, rippling downstream to customer systems.
Defensive Actions Underway
Salesloft said it has acted decisively to cut off further attacker access. On September 5, 2025, at 6 a.m. ET, the company took Drift offline, severed its infrastructure from Salesloft’s main platform, rotated internal credentials, and deployed stronger segmentation controls to contain future risk.
The company also urged customers to take immediate steps of their own: “We advise all third-party applications connected to Drift via API keys to revoke and regenerate their credentials without delay.”
The incident also forced temporary disruption at Salesforce, which suspended its integration with Salesloft on August 28. After verifying Salesloft’s remediation, Salesforce reinstated most integrations on September 7, but stressed that Drift will remain disabled indefinitely as a precaution.
“Integrations with Salesloft are back online,” Salesforce said, “but the Drift application will not be re-enabled until we are confident the threat has been fully mitigated.”
Related: Over 700 Firms Hit in Salesforce–Salesloft Drift Data Breach
Source: TheHackerNews
About Author
