Español
Salesloft has disclosed that a GitHub account breach in March allowed attackers to steal authentication tokens, which were later leveraged in a large-scale cyberattack targeting multiple high-profile tech customers.
According to Google’s incident response unit, Mandiant, the intruders gained access to Salesloft’s GitHub environment between March and June. During this time, they reportedly downloaded content from several repositories, added a guest user, and established malicious workflows.
The disclosure raises concerns about Salesloft’s security posture—particularly why it took the company roughly six months to detect the intrusion. Salesloft has since stated that the incident has been “contained.”
Exploitation of Drift’s OAuth Tokens
Following the GitHub breach, attackers infiltrated the Amazon Web Services (AWS) cloud infrastructure used by Drift, Salesloft’s AI- and chatbot-powered marketing platform. This access allowed them to exfiltrate OAuth tokens for Drift customers.
OAuth is widely used to let applications securely connect with third-party platforms like Salesforce. By stealing these tokens, the threat actors were able to move laterally into customer environments.
The stolen tokens enabled attackers to compromise several major organizations, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable. Security experts caution that the full scope of affected customers remains unknown.
Google’s Threat Intelligence Group attributed the supply chain breach to a hacking group tracked as UNC6395, disclosing details publicly in late August.
Attribution and Extortion Attempts
While Google linked the campaign to UNC6395, industry reports from DataBreaches.net and Bleeping Computer suggest the prolific cybercriminal group ShinyHunters may be responsible. The hackers are allegedly attempting to extort victims through private communications.
Salesloft confirmed that the attackers leveraged stolen tokens to infiltrate Salesforce environments, targeting sensitive data from support tickets. The company noted that the primary goal appeared to be the theft of credentials, including AWS access keys, passwords, and Snowflake-related access tokens.
As of September 7, Salesloft announced that its Salesforce integration has been fully restored.
