Article Details
Scrape Timestamp (UTC): 2025-09-08 15:32:39.146
Source: https://thehackernews.com/2025/09/github-account-compromise-led-to.html
Original Article Text
Click to Toggle View
GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies. Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach. "With this access, the threat actor was able to download content from multiple repositories, add a guest user, and establish workflows," Salesloft said in an updated advisory. The investigation also uncovered reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. However, it emphasized there is no evidence of any activity beyond limited reconnaissance. In the next phase, the attackers accessed Drift's Amazon Web Services (AWS) environment and obtained OAuth tokens for Drift customers' technology integrations, with the stolen OAuth tokens used to access data via Drift integrations. Salesloft said it has isolated the Drift infrastructure, application, and code, and taken the application offline effective September 5, 2025, at 6 a.m. ET. It has also rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. "We are recommending that all third-party applications integrated with Drift via API key, proactively revoke the existing key for these applications," it added. As of September 7, 2025 at 5:51 p.m. UTC, Salesforce has restored the integration with the Salesloft platform after temporarily suspending it on August 28. This has been done in response to security measures and remediation steps implemented by Salesloft. "Salesforce has re-enabled integrations with Salesloft technologies, with the exception of any Drift app," Salesforce said. "Drift will remain disabled until further notice as part of our continued response to the security incident."
Daily Brief Summary
Salesloft experienced a data breach originating from the compromise of its GitHub account, affecting 22 companies linked through its Drift application.
The breach, investigated by Mandiant, involved threat actor UNC6395 accessing Salesloft's GitHub from March to June 2025, conducting reconnaissance activities.
Attackers downloaded content from repositories, added a guest user, and established workflows, but evidence of activity was limited to reconnaissance.
Drift's AWS environment was accessed, and OAuth tokens for customer integrations were stolen, allowing data access through Drift integrations.
Salesloft has isolated the Drift infrastructure, taken the application offline, rotated credentials, and enhanced segmentation controls between Salesloft and Drift.
Third-party applications using Drift via API key are advised to revoke existing keys as a precautionary measure.
Salesforce temporarily suspended and later restored integration with Salesloft, excluding Drift, pending further security assessments.