Close Menu
Cybercrime and Ransomware

GitHub Breach Hits 22 Companies via Salesloft Drift Exploit

Staff WriterBy No Comments4 Mins Read1 Views

Quick Takeaways

  1. The data breach at Salesloft originated from the compromise of its GitHub account, which allowed a threat actor to access multiple repositories and establish workflows.
  2. The attacker, tracked as UNC6395, accessed Salesloft’s GitHub from March to June 2025, impacting 22 companies and leading to reconnaissance activities within Salesloft and Drift environments.
  3. The intruder gained access to Drift’s AWS environment, stole OAuth tokens, and used them to compromise customer data via Drift integrations.
  4. Salesloft temporarily shut down the Drift application, reset credentials, reinforced security controls, and Salesforce re-enabled most integrations except for Drift, which remains disabled for ongoing investigation.

What’s the Problem?

In late August 2025, a significant security breach was discovered involving Salesloft, a company providing sales engagement tools, with the origins traced back to a compromised GitHub account used by the company. The threat actor, identified as UNC6395 and linked to a possible advanced persistent threat, gained unauthorized access to Salesloft’s repositories between March and June 2025. Exploiting this access, the attacker downloaded sensitive content, added a guest user, and set up workflows, indicating an intent to probe or manipulate the system. The investigation uncovered that the threat group also conducted reconnaissance activities within the Salesloft and Drift environments, culminating in accessing Drift’s AWS infrastructure and stealing OAuth tokens, which were then exploited to breach customer data through Drift’s integrations.

The incident prompted Salesloft to take immediate action by isolating and shutting down Drift’s infrastructure, rotating credentials, and reinforcing security measures to prevent further infiltration. Salesforce, the platform hosting integrations with Salesloft, temporarily suspended the affected services and then gradually re-enabled some functionalities by early September 2025, leaving Drift’s application disabled to ensure ongoing security. The report detailing these events was released by Ravie Lakshmanan, highlighting the scope of the breach, its cause rooted in supply chain vulnerabilities, and the steps taken to contain and remediate the attack, emphasizing the importance of vigilant API security and third-party access management.

Security Implications

Cyber risks, exemplified by recent breaches like the Salesloft incident, demonstrate how sophisticated attacks exploiting supply chain vulnerabilities and API security flaws can lead to widespread data compromise, unauthorized access, and operational disruption across multiple organizations. In this case, hackers leveraged a compromised GitHub account to infiltrate the vendor’s systems, access customer OAuth tokens, and potentially manipulate or steal sensitive integration data, highlighting the devastating impact of interconnected digital environments. Such breaches not only threaten confidential information but also erode trust, cause financial losses, and compel organizations to undertake costly remediation efforts, emphasizing the urgent need for robust security measures, continuous monitoring, and proactive incident response strategies to mitigate escalating cyber threats.

Possible Actions

Understanding the significance of prompt remediation in the aftermath of a GitHub account compromise is critical, especially when such breaches lead to larger security breaches like the Salesloft Drift incident affecting multiple companies. Swift action can limit damage, prevent data exfiltration, and restore trust swiftly.

Mitigation Strategies

  • Account Reset: Immediately revoke access credentials and reset passwords for compromised accounts.
  • Access Restrictions: Temporarily restrict access permissions to limit further unauthorized activities.
  • Incident Investigation: Conduct a thorough forensic analysis to determine breach extent and origin.
  • Credential Rotation: Change all related API keys, tokens, and passwords across connected systems.
  • Monitoring & Alerts: Implement enhanced monitoring tools with real-time alerting for unusual activity.
  • Notification & Reporting: Notify affected stakeholders and regulatory bodies according to compliance requirements.
  • Security Review: Perform an overarching security audit to identify vulnerabilities and strengthen defenses.
  • Employee Training: Reinforce cybersecurity awareness among staff to prevent initial compromises.
  • Update Policies: Revise security policies and protocols to include lessons learned from the breach.
  • Third-party Coordination: Coordinate with third-party vendors and partners to ensure aligned security measures.

Stay Ahead in Cybersecurity

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.