The Salesloft data breach linked to the Drift application started with the compromise of a GitHub account. From March to June 2025, the threat actor UNC6395 accessed Salesloft's GitHub repositories, downloaded content, and made unauthorized changes. This breach eventually led to a broader supply chain attack.
This attack shows the risks inherent in supply chain and API security as attackers exploited repository access to infiltrate AWS environments and obtain OAuth tokens. These tokens gave unauthorized access to data across multiple customer integrations, impacting 22 confirmed companies.
How did the GitHub account get compromised
The threat actor gained access to the Salesloft GitHub account through methods not publicly detailed but likely involved credential compromise or insufficient access controls. Over a period of several months, they downloaded a code and added guest users to maintain persistent access.
Reconnaissance activities were observed in both Salesloft and Drift application environments from March to June 2025. Despite extensive access, there is no public evidence of data manipulation beyond the reconnaissance and token theft phases.
Did you know?
UNC6395, a threat group, stole extensive data from hundreds of Salesforce accounts. The stolen information included AWS keys, Snowflake tokens, passwords, and various Salesforce business records like Cases, Accounts, and Users.
What steps did the attackers take after the breach
After establishing access to the GitHub repositories, attackers proceeded to infiltrate Drift's AWS environment. They obtained OAuth tokens that link to customer applications and services.
These tokens were then used to access data via Drift integrations, expanding the scope of the supply chain breach.
These stolen credentials allowed attackers to move laterally through connected systems, posing serious risks to impacted companies.
This level of access amplifies concerns around API key and token security in cloud environments.
What impact did the breach have on companies
So far, 22 companies have publicly confirmed they were affected by this supply chain breach. The breach exposed company data accessed through third-party Drift integrations. The full extent or specifics of the exposed data have not been disclosed.
Such breaches can damage trust in SaaS providers and increase scrutiny over third-party application security.
Companies depending on Salesloft and Drift integrations must now reevaluate their security posture and token management practices.
ALSO READ | AT&T data breach could compromise 24M users’ two-factor authentication
How did Salesloft respond to the incident
Salesloft reacted by isolating the Drift infrastructure, taking the application offline on September 5, 2025, and rotating credentials in their environment. They also enhanced segmentation controls to better separate Salesloft and Drift applications.
They advised all third-party applications integrated via API keys to proactively revoke existing keys and issue new ones to mitigate ongoing risks. This rapid response highlights the importance of rapid containment in breach scenarios.
What is the current status of integrations and security
Salesforce temporarily suspended the Salesloft integration on August 28 but re-enabled it on September 7, except for the Drift app, which remains offline. Salesforce cited Salesloft's remediation efforts and security hardening as the basis for restoring most integrations.
The Drift application remains disabled pending further security validation, underscoring ongoing caution around the incident. This incident serves as a reminder for continuous vigilance around supply chain and API security.
Moving forward, companies reliant on third-party platforms like Salesloft should increase monitoring of API key usage and prioritize securing token-based authentications.
Enhancements in access controls and segmentation will be critical to preventing similar supply chain breaches in the future.
Comments (0)
Please sign in to leave a comment