Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens

Heard about the recent data breaches where attackers used the Salesloft Drift application to access Salesforce data? There’s now a major update. The company has provided new details about the recent security incident involving its Drift application, confirming that the breach has been contained and customer protections are in place.

The company brought in Google-owned cybersecurity firm Mandiant on August 28 to lead an investigation into the compromise. The scope of the engagement included identifying the root cause, assessing the damage, and validating that Salesloft’s core environment remained secure.

****GitHub Access Preceded the Breach****

Salesloft’s advisory detailing Mandiant’s findings published today shows that the attacker gained access to a Salesloft GitHub account between March and June 2025. During this period, they downloaded content from several private repositories, added a guest user, and created new workflows.

Additionally, reconnaissance activity was also detected in both the Salesloft and Drift environments. However, investigators found no evidence that the attacker moved beyond limited probing in the Salesloft environment itself.

The attacker ultimately shifted focus to Drift’s AWS environment, where they obtained OAuth tokens from Drift customers. These tokens were then abused to access customer data through integrated applications.

****Containment and Remediation****

Salesloft says it acted quickly to contain the incident. Key steps included:

• Rotating all affected credentials within Drift.
• Rotating credentials in Salesloft’s own environment as a precaution.
• Isolating Drift’s application and infrastructure, then taking the service offline.
• Hardening its environment against the techniques observed in the attack.
• Conducting proactive threat hunting across Salesloft infrastructure, which revealed no additional signs of compromise.

Mandiant also confirmed that the Drift and Salesloft platforms are technically segmented, a factor that helped limit the attacker’s reach.

Screenshot from the company’s latest update

****Industry Impact****

The breach is not limited to Drift alone. According to Google’s Threat Intelligence Group and Mandiant, the attack was part of a coordinated campaign that targeted Salesforce integrations across multiple companies in August.

As Hackread.com reported, organisations including Zscaler, Palo Alto Networks, PagerDuty, Cloudflare, TransUnion, Chanal, Google, Farmers Insurance and others have confirmed that data tied to their Salesforce environments was accessed through compromised Drift OAuth tokens. In most cases, the exposed information consisted of business contact details such as names, email addresses, job titles, and phone numbers.

While attribution remains under investigation, Google has linked threat actor group UNC6395 to the campaign. At the same time, although unconfirmed, a separate group known as “Scattered Lapsus$ Hunters,” an apparent coalition that combines the tactics and branding of Scattered Spider, Lapsu$, and ShinyHunters, has publicly claimed responsibility, though this has not been confirmed by investigators.

Current Status

With the Drift breach contained, Mandiant’s role has now moved to forensic quality assurance to validate the findings and ensure the integrity of both environments. On the other hand, Salesloft emphasised that while Drift was directly impacted, its core application environment was not breached beyond reconnaissance activity.