Fast Facts
- Threat actors accessed Salesloft’s GitHub account from March to June 2025, enabling reconnaissance that led to a widespread data theft campaign exploiting compromised OAuth tokens.
- The attackers used these tokens to extract large volumes of data, including AWS keys and access tokens, primarily targeting Salesforce and Drift AI environments.
- The breach impacted over a dozen companies across cybersecurity and tech sectors, affecting customer support data and various cloud services, though the exact number of organizations affected remains unconfirmed.
- Salesforce responded by disabling the affected integrations and later restoring them, with investigations confirming that the breach resulted from the earlier GitHub compromise, not a product vulnerability.
The Core Issue
Between March and June 2025, threat actors gained prolonged access to Salesloft’s GitHub account, secretly downloading information from various repositories, creating a guest user, and establishing workflows—actions that laid the groundwork for a subsequent widespread data theft campaign. This malicious breach was linked to a threat group identified as UNC6395. By exploiting OAuth tokens stolen from Drift AI’s environment—obtained through the earlier GitHub intrusion—the attackers orchestrated a sophisticated operation, primarily targeting Salesforce-Salesloft integrations but ultimately affecting over a dozen cybersecurity firms and potentially around 700 organizations. The attackers leveraged these compromised credentials to extract sensitive data, including AWS access keys, passwords, and Snowflake tokens, facilitating access to customer data stored in Salesforce, such as support tickets and personal information like names and contact details. In response, Salesforce temporarily disabled the affected integrations, and Drift was taken offline to bolster security measures, with the impacts now contained and the threat actors expelled from the affected environments, as confirmed by cybersecurity investigators including Mandiant. The incident underscores how a single compromised account can cascade into a broad cyberepidemic, exposing vast quantities of private corporate and customer data across multiple platforms and sectors.
Critical Concerns
Between March and June 2025, threat actors gained access to Salesloft’s GitHub account, enabling them to conduct reconnaissance and establish workflows that ultimately facilitated a widespread data theft campaign against numerous organizations. By exploiting compromised OAuth tokens obtained from Drift AI’s chatbot through Salesforce environments—initially believed to be limited to Salesforce-Salesloft integrations—the attackers exfiltrated sensitive data, including AWS access keys, passwords, and Snowflake tokens. This breach impacted over a dozen cybersecurity firms and potentially around 700 entities, exposing customer support tickets containing personal information like names and contact details. The attack was orchestrated by a threat actor tracked as UNC6395, highlighting the risks posed by compromised development platform credentials that lead to unauthorized data access, widespread service disruptions, and the erosion of organizational trust in integrated cloud services. Salesforce temporarily disabled the affected integrations and enforced security measures, successfully containing the incident, but the event underscores the peril of persistent credential compromises and the importance of vigilant, layered security protocols to mitigate future breaches.
Fix & Mitigation
Prompt for remediation of a compromised Salesloft GitHub account before a broader Salesforce attack is crucial because early action can prevent extensive data breaches, safeguard sensitive information, and maintain organizational trust. Addressing the issue promptly limits potential damage and strengthens cybersecurity defenses.
Containment Measures
Immediately revoke all access tokens, API keys, and compromised credentials. Isolate affected systems from the network to prevent lateral movement.
Authentication & Access Review
Conduct a thorough review of user accounts with access to GitHub and related platforms. Enforce multi-factor authentication (MFA) and implement strict access controls.
Incident Investigation
Identify the extent and source of the breach through logs analysis and forensic investigation. Understand how the compromise occurred to prevent future attacks.
Credential Reset & Rotation
Reset all compromised credentials and rotate keys regularly. Distribute new credentials securely to authorized personnel only.
Security Patches & Updates
Apply necessary patches and updates to GitHub, Salesforce, and related tools. Ensure all systems are up-to-date with the latest security fixes.
Enhanced Monitoring
Implement continuous monitoring and real-time alerting for unusual activities. Use intrusion detection systems to identify suspicious access attempts.
User Training & Awareness
Educate staff about security best practices, phishing risks, and recognizing suspicious activity. Foster a security-conscious organizational culture.
Communication & Reporting
Notify relevant stakeholders about the breach as per legal and organizational protocols. Maintain transparent communication to uphold trust and compliance.
Review & Strengthen Policies
Evaluate existing security policies related to account management and third-party integrations. Update procedures to mitigate similar risks in the future.
Continue Your Cyber Journey
Discover cutting-edge developments in Emerging Tech and industry Insights.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
