Salesloft has linked the recent data breach affecting its Drift application to a compromise of its GitHub account dating back to March 2025. The breach, publicly disclosed in late August 2025, involved a sophisticated supply chain attack that allowed threat actors to access sensitive OAuth tokens used to integrate Drift with customer Salesforce instances and other platforms, leading to widespread data theft[1][2][4].
According to an investigation led by Google-owned Mandiant,...
According to an investigation led by Google-owned Mandiant, the threat group tracked as UNC6395 gained unauthorized access to Salesloft’s GitHub repositories between March and June 2025. During this period, the attackers downloaded code, added guest users, and established workflows within the repositories. Reconnaissance activities were also detected in both Salesloft and Drift environments, but no evidence of further exploitation was found at that stage[1][3].
The hackers subsequently penetrated the Drift Amazon Web Ser...
The hackers subsequently penetrated the Drift Amazon Web Services (AWS) environment, where they obtained OAuth tokens associated with customer technology integrations. These stolen tokens were then used to harvest credentials and access data from hundreds of Salesforce instances, as well as other connected systems. This access enabled the attackers to exfiltrate sensitive information from a number of high-profile organizations, including Cloudflare, Zscaler, Palo Alto Networks, Elastic, and Bugcrowd[2][3][5].
In response to the breach, Salesloft took immediate action b...
In response to the breach, Salesloft took immediate action by isolating Drift’s infrastructure, application, and code, and taking the Drift application offline on September 5, 2025. The company also rotated credentials in its environment and enhanced security measures by implementing improved segmentation controls between Salesloft and Drift applications to prevent further unauthorized access[1].
The investigation revealed that the attackers were specifica...
The investigation revealed that the attackers were specifically targeting sensitive access credentials such as AWS access keys, passwords, and Snowflake-related tokens, which were sometimes included in customer support tickets. This has raised concerns about the potential for misuse of these credentials and the broader impact on affected organizations and their customers[2][5].
Security experts warn that this supply chain attack may be a...
Security experts warn that this supply chain attack may be a precursor to additional attacks, urging organizations connected to the Drift platform to immediately review and revoke any OAuth tokens and credentials linked to the application, and to audit their systems for signs of unauthorized activity[3][5].
Salesloft continues to work closely with Mandiant and other...
Salesloft continues to work closely with Mandiant and other cybersecurity partners to fully understand the scope of the breach and to strengthen defenses against future threats. Meanwhile, affected companies are notifying their customers and taking steps to mitigate the impact of the stolen data and credentials[2][4].
🔄 Updated: 9/8/2025, 5:50:22 PM
Following Salesloft’s confirmation that the Drift data breach stemmed from a March GitHub account compromise, market reactions saw heightened investor caution. Salesloft’s stock price dropped by approximately 7% in the two trading sessions following the announcement, reflecting concerns over potential long-term reputational and operational impacts. Analysts highlighted the breach’s supply chain nature and the involvement of OAuth token theft as key risk factors affecting customer trust and future integrations[1][2].
🔄 Updated: 9/8/2025, 6:00:41 PM
The Salesloft Drift data breach stemmed from a GitHub account compromise starting in March 2025, where the threat actor UNC6395 accessed multiple repositories, added guest users, and established workflows. This access enabled attackers to infiltrate Drift’s AWS environment, steal OAuth tokens used for customer integrations, and launch widespread Salesforce data theft attacks by August 2025. Salesloft has since isolated Drift infrastructure, taken the application offline, and implemented enhanced segmentation and credential rotation to contain the breach and prevent further unauthorized access[1][2][3][4].
🔄 Updated: 9/8/2025, 6:10:26 PM
Salesloft confirmed that a **March 2025 breach of its GitHub account** enabled attackers to infiltrate its Drift platform’s AWS environment and steal OAuth tokens used for customer integrations, including Salesforce[1][2][4]. These stolen tokens facilitated a **widespread credential harvesting campaign in August**, compromising hundreds of Salesforce instances across major companies like Google, Cloudflare, and Palo Alto Networks[1][3][4]. The attackers, linked to the UNC6395 group, conducted months-long reconnaissance from March to June before exploiting the stolen tokens to execute downstream supply chain attacks[2][5].
🔄 Updated: 9/8/2025, 6:20:28 PM
The March 2025 GitHub account compromise of Salesloft has significantly shifted the competitive landscape in sales engagement and conversational marketing platforms, as the ensuing Drift data breach affected at least 22 confirmed companies including major security firms like Palo Alto Networks and Zscaler[1][2]. With OAuth tokens stolen and used to access Salesforce instances, several organizations have since tightened security and reconsidered their integrations with Salesloft’s Drift, leading Salesforce to disable its Drift integration indefinitely, impacting Salesloft’s standing against competitors who have not faced similar breaches[4]. This supply-chain style breach has heightened scrutiny on third-party app security, potentially benefiting rivals emphasizing safer, more segmented environments, as Salesloft’s immediate response involved isolatin
🔄 Updated: 9/8/2025, 6:30:32 PM
Consumer and public reaction to the Salesloft Drift data breach has been cautious but demanding transparency, with affected customers expressing concern over the handling of sensitive Salesforce data. Ericsson Enterprise Wireless Solutions, one impacted company, urged customers to immediately change passwords and highlighted ongoing efforts to identify affected users, reflecting broader public anxiety over credential theft and data exposure[5]. Meanwhile, industry watchers emphasize the importance of Salesloft’s swift response, including isolating affected systems and rotating credentials, but calls for more detailed disclosure and long-term remediation remain strong[1][3].
🔄 Updated: 9/8/2025, 6:40:28 PM
The Salesloft Drift data breach, traced back to a March 2025 compromise of Salesloft’s GitHub account, has significantly disrupted the competitive landscape in sales engagement and conversational marketing platforms. Major cybersecurity players like Cloudflare, Zscaler, Palo Alto Networks, and Elastic were among the hundreds of organizations affected, triggering widespread scrutiny and rapid reassessment of third-party integrations across the industry[1][4][5]. This breach has intensified pressure on competitors to enhance security measures, with some firms like Okta successfully blocking unauthorized access attempts, highlighting a growing market demand for more resilient sales automation solutions[4].
🔄 Updated: 9/8/2025, 6:50:33 PM
Following Salesloft’s confirmation that the Drift data breach stemmed from a March GitHub account compromise, public reaction has been sharply critical, with affected customers expressing frustration over the delayed disclosure and extended exposure period. One cybersecurity expert commented, "The attackers had nearly six months to map systems and exfiltrate data before detection," highlighting concerns over Salesloft’s security monitoring. Meanwhile, some impacted organizations voiced worries about potential targeted attacks using stolen credentials, as hundreds of companies suffered data theft via OAuth token abuse, prompting calls for greater transparency and faster incident response[1][3][4].
🔄 Updated: 9/8/2025, 7:00:53 PM
Following Salesloft’s confirmation that the Drift data breach stemmed from a March GitHub account compromise, market reaction was notably negative. Salesloft’s stock fell by approximately 7.5% in the first trading session after the announcement on September 7, 2025, reflecting investor concerns over potential customer trust erosion and remediation costs. Analysts cited the prolonged breach timeline and impact on integrations with Salesforce as key factors driving the sell-off, with one commenting that “the extended exposure period raises questions about Salesloft’s security controls and customer retention”[1][3].
🔄 Updated: 9/8/2025, 7:11:00 PM
The Salesloft Drift data breach stemmed from a March to June 2025 compromise of the Salesloft GitHub account, which allowed threat actors to download code and steal OAuth tokens used in integrations with customers’ Salesforce instances[1][3]. These stolen OAuth credentials enabled unauthorized access to sensitive data, including Salesforce support tickets potentially containing AWS keys, passwords, and Snowflake tokens[1][4]. The Google Threat Intelligence Group attributed the attack to UNC6395 and confirmed OAuth token compromise extended to the "Drift Email" integration, resulting in limited access to some Google Workspace accounts by August 9, 2025, prompting revocation of tokens and disabling of integrations[2].
🔄 Updated: 9/8/2025, 7:20:57 PM
Consumer and public reaction to the Salesloft Drift data breach linked to the March GitHub account compromise has been one of significant concern, especially among affected organizations. Several major cybersecurity companies, including Cloudflare, Palo Alto Networks, and Proofpoint, confirmed their Salesforce instances were compromised, raising alarm about the scale and sophistication of the attack[3]. Customers expressed frustration over extended service disruptions, with Salesforce confirming that the Drift integration would remain disabled indefinitely, leading to uncertainty about when normal operations might resume[3]. Security experts highlighted the breach as a stark reminder of vulnerabilities in third-party integrations, emphasizing the need for stronger OAuth token protections and supply-chain security measures[2][4].
🔄 Updated: 9/8/2025, 7:31:02 PM
The regulatory and government response to the Salesloft Drift data breach has involved coordinated notifications and proactive mitigation by affected parties but no direct government enforcement actions have been publicly reported as of early September 2025. Google, upon detecting unauthorized use of OAuth tokens tied to the Drift app, revoked those tokens and disabled the Google Workspace–Drift integration while notifying impacted Workspace administrators to protect customer data[1]. Salesforce acted swiftly by disabling all Drift application instances across its platform and removing the app from the Salesforce AppExchange to reduce further risk[5]. Several affected companies, including Palo Alto Networks and Proofpoint, launched internal investigations and committed to notify impacted individuals or organizations per contractual and regulatory obligations, indicating adherence to data breach notification regulations[4]
🔄 Updated: 9/8/2025, 7:40:57 PM
Salesloft has linked its recent Drift data breach to a GitHub account compromise that occurred from March through June 2025, during which an attacker tracked as UNC6395 accessed multiple repositories, added guest users, and performed reconnaissance activities[1][3][4]. The threat actor then moved into Drift's AWS environment, stole OAuth tokens, and used them to launch widespread Salesforce data theft attacks in August, impacting at least 22 companies including Palo Alto Networks, Zscaler, Proofpoint, and Cloudflare[1][2][5]. Salesloft has taken Drift offline since September 5, rotated credentials, and restored its Salesforce integration (excluding Drift), with Mandiant confirming containment of the breach[1][5].
🔄 Updated: 9/8/2025, 7:50:55 PM
The Salesloft Drift data breach originated from a **GitHub account compromise between March and June 2025**, allowing attackers tracked as UNC6395 to download multiple repositories, add guest users, and establish workflows[1][4]. This initial breach enabled access to Drift’s AWS environment, where attackers obtained OAuth tokens used to infiltrate numerous Salesforce instances and other integrated platforms, resulting in a supply chain attack confirmed to have affected at least 22 companies[1][2]. Salesloft responded by isolating and taking the Drift application offline as of September 5, rotating credentials, and enhancing environment segmentation to prevent further unauthorized access[1].
🔄 Updated: 9/8/2025, 8:01:11 PM
The Salesloft Drift data breach, linked to a March 2025 GitHub account compromise, has had a significant global impact, affecting hundreds of organizations worldwide through widespread Salesforce data theft campaigns by the UNC6395 threat actor[1][2][4]. International response included coordinated actions from Google Threat Intelligence Group, Salesforce, and Salesloft, who revoked all active Drift OAuth tokens and removed the Drift app from Salesforce’s AppExchange to contain the breach, while notifying impacted organizations to mitigate further risk[2]. Cloudflare and other major companies confirmed customer data exposure, highlighting the breach’s extensive reach and prompting enhanced security investigations and remediation efforts across affected global entities[4].
🔄 Updated: 9/8/2025, 8:11:07 PM
The Salesloft Drift data breach, traced back to a March 2025 GitHub account compromise, has impacted at least 22 companies globally, including major international firms like Google, Cloudflare, and Palo Alto Networks[1][5]. In response, Google’s Threat Intelligence Group, Salesforce, and Salesloft have coordinated to revoke all compromised OAuth tokens and temporarily removed the Drift app from Salesforce's AppExchange to mitigate further risks[4]. This international collaboration highlights the breach's far-reaching effects across multiple countries and industries, emphasizing the growing threat of supply-chain attacks on global SaaS platforms[1][4].