Salesloft says attackers first breached its GitHub account in March, leading to the theft of Drift OAuth tokens later used in widespread Salesforce data theft attacks in August.
Salesloft is a widely used sales engagement platform that helps companies manage outreach and customer communications. Its Drift platform is a conversational marketing tool that integrates chatbots and automation into sales pipelines, including integrations with platforms like Salesforce.
The two have been at the center of a major supply-chain style breach first disclosed in late August, with Google's Threat Intelligence Group attributing the attacks to UNC6395.
However, BleepingComputer has learned that the ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks.
Breach started with GitHub
Salesloft first disclosed a security issue in the Drift application on August 21 and revealed more details about malicious exploitation of the OAuth tokens five days later.
This has led to widespread Salesforce data theft attacks on Salesloft customers, including Google, Zscaler, Cloudflare, Workiva, Tenable, JFrog, Bugcrowd, Proofpoint, Palo Alto Networks, and the list is still growing.
In the Salesloft data theft attacks, the threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets.
"Initial findings have shown that the actor's primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens," warned Salesloft in an August 26 update.
According to an investigation by Mandiant, which is aiding Salesloft in responding to its breach, the threat actors first gained access to its GitHub environment between March and June 2025.
... continue reading