Threat actors had access to Salesloft’s GitHub account between March and June 2025 and performed reconnaissance in preparation for the widespread Salesforce-Salesloft data theft campaign.
The data breach occurred between August 8 and August 18, when the attackers used compromised OAuth tokens for the Drift AI chatbot to export large volumes of data from Salesforce environments.
Attributed to a threat actor tracked as UNC6395, the campaign hit hundreds of organizations and focused on the extraction of AWS access keys, passwords, and Snowflake-related access tokens from the stolen data.
Initially believed to affect only accounts using the Salesforce-Salesloft Drift integration, the attack was later found to have affected other entities as well, including Google Workspace customers.
The attack resulted in Salesforce disabling the Salesloft integration, and in Drift being taken temporarily offline to improve its security. On September 7, the Salesforce-Salesloft integration was restored.
However, the campaign was not the result of a weakness in Drift, Salesloft said on Sunday. Instead, it was possible because hackers had compromised the company’s GitHub account half a year ago.
“In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows,” Salesloft revealed.
The investigation into the incident, performed by Mandiant, revealed that the hackers performed reconnaissance in the Salesloft and Drift application environments, and then accessed Drift’s AWS instance, exfiltrating OAuth tokens for customers’ integrations.
“The threat actor used the stolen OAuth tokens to access data via Drift integrations,” Salesloft says.
According to the company, the attack has been contained and the attackers evicted from its environments, and Mandiant has validated that.
What Salesloft did not specify, however, was the number of impacted organizations. According to previous estimations, roughly 700 companies might have been affected.
In the cybersecurity space, Cloudflare, Palo Alto Networks, and Zscaler were the first to confirm impact from the attack, followed shortly by Proofpoint, SpyCloud, Tanium, and Tenable.
The list of cybersecurity firms impacted by the incident, however, has grown to over a dozen, and also includes BeyondTrust, Bugcrowd, CyberArk, Cato Networks, JFrog, PagerDuty, and Rubrik. Elastic said a single email account was compromised through the ‘Drift Email’ integration.
Esker, Heap, Megaport, Nutanix, Sigma Computing, and Workiva were also hit, Nudge Security reveals. In most cases, the compromised Salesforce instances stored data related to customer support tickets, including business information such as names, email addresses, and phone numbers.
Related: Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack
Related: Zero to Hero – A “Measured” Approach to Building a World-Class Offensive Security Program
Related: How to Close the AI Governance Gap in Software Development
Related: PLoB: A Behavioral Fingerprinting Framework to Hunt for Malicious Logins
