Hackers breached Salesloft ’s GitHub in March, and used stole tokens in a mass attack

Hackers breached Salesloft’s GitHub in March, stole tokens, and used them in a mass attack on several major tech customers.

Salesloft revealed that the threat actor UNC6395 breached its GitHub account in March, stealing authentication tokens that were later used in a large-scale attack against several major tech customers.

Salesforce data theft attacks impacted major customers like Google, Zscaler, Cloudflare, and Palo Alto Networks.

Mandiant discovered threat actors performed reconnaissance activities in the Salesloft and Drift application environments between March 2025 and June 2025. The hackers accessed Salesloft’s GitHub from March to June, downloading repository data, adding a guest user, and creating workflows.

The intruders also breached Salesloft’s AWS environment tied to its Drift platform, stealing OAuth tokens used by Drift customers. Although the company says the incident is now contained, the six-month delay in detecting the intrusion raises security concerns.

Below are findings from Mandiant’s investigation:

• “In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.
  
• The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments.
  • The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.
• The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.
  
• The threat actor used the stolen OAuth tokens to access data via Drift integrations.”

Salesloft said it has isolated Drift’s infrastructure, app, and code, and took it offline on September 5, 2025. It also rotated credentials and added stronger segmentation between Salesloft and Drift. The company advised revoking all Drift API keys. On September 7, Salesforce restored integrations with Salesloft after suspending them on August 28, but confirmed Drift will remain disabled until further notice.

“Salesforce has re-enabled integrations with Salesloft technologies, with the exception of any Drift app. Drift will remain disabled until further notice as part of our continued response to the security incident.” reads an update posted on 07 Sep 2025. “This decision follows security measures and remediation steps implemented by Salesloft, which were independently validated by Mandiant.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Salesloft)