Salesloft Breached via GitHub Account Compromise
Summary
A threat actor tracked as UNC6395 compromised Salesloft’s GitHub account earlier this year, exfiltrated repository data and used information gathered to move into Drift’s AWS environment. The attacker stole OAuth tokens tied to Drift integrations and abused them to access hundreds of customers’ Salesforce instances and other integrated services. Several major security and tech firms — including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, Tenable and Qualys — disclosed impacts or investigations related to the campaign.
Salesloft engaged Mandiant for an investigation; Mandiant found activity dating back to March with reconnaissance through to June. Google Threat Intelligence later warned that the stolen tokens were likely used beyond Salesforce, and urged all Salesloft Drift customers to treat tokens as potentially compromised. Salesforce temporarily disabled Salesloft integrations as part of the response; Salesloft later said its core integration was restored while Salesforce kept the Drift app disabled pending further work.
Key Points
- Attack began with a compromised Salesloft GitHub account (activity observed March–June 2025).
- UNC6395 downloaded repo data and used it to access Drift’s AWS environment and steal OAuth tokens.
- Stolen tokens enabled a supply-chain style attack that impacted hundreds of Salesforce instances and likely other integrations.
- Victims disclosed include major security firms and technology companies such as Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, Tenable, Qualys, Rubrik and others.
- Google Threat Intelligence warned tokens abuse extended beyond Salesforce; organisations should assume any tokens linked to Drift may be compromised.
- Salesforce temporarily disabled Salesloft integrations; Salesloft reports its main integration restored but Drift remains disabled per Salesforce advisory.
- Incident highlights persistent risk from secrets exposed in code repositories and other systems — GitGuardian reports millions of exposed secrets in recent years.
Why should I read this?
Because this is a textbook case of how one compromised dev account can cascade into a multi‑tenant disaster. If you use Salesloft, Drift, Salesforce or store tokens/credentials anywhere (yes — even in support tickets), you need to know the attack chain, assume tokens might be stolen and act now to rotate and audit. We’ve read the detail so you don’t have to — but don’t sleep on the fixes.