Close Menu
Cybercrime and Ransomware

Cyberattack Linked to GitHub Breach and OAuth Token Theft

Staff WriterBy No Comments4 Mins Read1 Views

Essential Insights

  1. Over 700 organizations, including major cybersecurity firms, were impacted by a sophisticated supply-chain attack traced back to a March 2025 compromise of Salesloft’s GitHub account, leading to widespread data theft.
  2. Threat actors exploited this access to steal OAuth tokens from Salesloft’s Drift platform, enabling unauthorized access to customer systems, notably exfiltrating sensitive data from Salesforce integrations.
  3. The attackers, identified as UNC6395, used stolen tokens between August 8-18, 2025, to access customer data, affecting high-profile companies like Cloudflare and Palo Alto Networks, highlighting risks in third-party SaaS integrations.
  4. Salesloft contained the breach by isolating affected environments, rotating credentials, and advising partners to revoke API keys, while also releasing IOC indicators and urging proactive security measures.

Underlying Problem

In early 2025, a highly complex and damaging supply-chain cyberattack was traced back to a breach of Salesloft’s GitHub account, which had been compromised from March through June. This initial infiltration allowed threat actors, linked to the group UNC6395 and possibly associated with the loosely connected “Scattered LAPSUS$ Hunters 4.0,” to secretly download data, add a guest user, and establish workflows in private repositories. Taking advantage of this foothold, they targeted Salesloft’s Drift cloud environment, seizing OAuth authentication tokens that granted access to customer data. Between August 8 and August 18, these tokens were exploited to extract sensitive information—like contact details and support case content—from major companies, including Cloudflare and Palo Alto Networks, exposing the risks of third-party application integrations. In response, Salesloft swiftly engaged cybersecurity experts from Mandiant to contain the breach, isolate affected systems, and advise clients to revoke compromised API keys, sharing indicators of compromise to aid ongoing detection efforts. Although the attack did not breach Salesloft’s core platform directly, it resulted in significant data theft affecting numerous high-profile organizations, emphasizing the vulnerability associated with third-party SaaS integrations and the sophisticated methods used by cybercriminals to infiltrate cloud services.

Risks Involved

A complex supply-chain attack, originating from a breach of Salesloft’s GitHub account active since March 2025, resulted in the theft of OAuth tokens from its Drift chat platform, culminating in widespread data exfiltration from over 700 organizations, including major cybersecurity firms and high-profile clients like Salesforce. Attackers, identified by Google as UNC6395, exploited these tokens between August 8 and August 18, to access and retrieve sensitive business and support data, exposing vulnerabilities inherent in third-party SaaS integrations. Despite Salesloft’s efforts to contain the breach—such as taking Drift offline, rotating credentials, and issuing Indicators of Compromise—this incident underscores the significant cyber risk posed by supply-chain vulnerabilities, where attackers leverage trusted channels to infiltrate multiple organizations, leading to substantial potential impacts, including data loss, reputational damage, and operational disruption across critical enterprise ecosystems.

Fix & Mitigation

Addressing the ‘Salesloft Drift Cyberattack Linked to GitHub Compromise and OAuth Token Theft’ promptly is vital to limit damage, prevent data breaches, and restore trust. Quick action ensures vulnerabilities are contained before malicious actors can exploit them further.

Mitigation Measures

  • Immediate Revocation: Revoke compromised OAuth tokens and reset affected credentials.
  • Security Audit: Conduct a comprehensive security review of integrations and access logs.
  • Incident Response: Activate a formal incident response plan to assess scope and impact.
  • User Notification: Inform affected users about the breach and advise on precautionary measures.
  • Credential Rotation: Change all compromised passwords and API keys across platforms.
  • Enhanced Monitoring: Implement real-time monitoring for unusual activity or access anomalies.
  • System Patching: Apply all relevant security patches to prevent exploitation of known vulnerabilities.
  • OAuth Best Practices: Enforce strict OAuth implementation standards, including least privilege access.
  • Security Training: Educate staff on phishing and security awareness to prevent future breaches.
  • Third-Party Assessment: Collaborate with security experts to evaluate third-party integrations and ensure their security measures align with organizational standards.

Continue Your Cyber Journey

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.