Close Menu
Uncategorized

Salesloft Security Breach: GitHub Account Compromised

Staff WriterBy No Comments6 Mins Read0 Views

Fast Facts

  1. Supply Chain Breach: A threat actor (UNC6395) compromised Salesloft’s GitHub account, leading to a significant supply chain breach affecting hundreds of Salesforce instances by stealing OAuth tokens from the Drift application.

  2. OAuth Abuse: The attack involved the retrieval of sensitive data from various Salesloft repositories, with stolen OAuth tokens potentially compromising not only Salesforce but other integrations as well.

  3. Widespread Impact: Numerous companies, including Zscaler and Cloudflare, reported that their Salesforce instances were breached, with sensitive internal data and API tokens being exposed during the attack.

  4. Security Response: Following the incident, Salesforce temporarily disabled all integrations with Salesloft, though the integration has since been restored except for the Drift app, which remains disabled pending further investigation.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Salesloft Breached via GitHub Account Compromise’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

A threat actor compromised Salesloft’s GitHub account earlier this year, which sparked last month’s massive supply chain attack that compromised hundreds of Salesforce instances. 

The threat actor, tracked as UNC6395, used stolen OAuth tokens from Salesloft’s Drift application, which is integrated with Salesforce, to accomplish the breach last month and steal sensitive data. Last week, several cybersecurity and technology companies disclosed that their Salesforce instances had been among those compromised in the supply chain attacks.

On Saturday, Salesloft published an update on Mandiant’s investigation into the attacks that provided more clarity on how the campaign unfolded. According to the update, Mandiant determined the initial attack on Salesloft began as early as March and involved a compromised of the company’s GitHub account.

UNC6395 downloaded data from multiple Salesloft repositories and conducted reconnaissance in the Salesloft and Drift application environments between March and June. From there, the threat actor gained access to Drift’s Amazon Web Services (AWS) environment and stole OAuth tokens for Drift customers’ technology integrations — not just Salesforce.

In an updated blog post in late August, Google Threat Intelligence Group (GTIG) said based on new information it had detected, UNC6395’s abuse of the OAuth tokens was not limited to Salesforce. As a result, GITG urged all Salesloft Drift customers to “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”

Related:‘MostereRAT’ Malware Blends In, Blocks Security Tools

GitHub Attack Vector

It’s unclear how Salesloft’s GitHub account was compromised; the company’s update on Mandiant’s investigation did not specify how UNC6395 first gained access to the account. But GitHub has emerged as a rich attack vector for a variety of threat actors in recent years, for everything from code poisoning campaigns to developer-focused supply chain attacks.

Dwayne McDaniel, developer advocate at cybersecurity vendor GitGuardian, says that while it’s unclear what types of data the threat actor obtained in GitHub, the supply chain attack followed a familiar and concerning pattern.

“It’s a perfect example of using secrets for lateral movement,” he tells Dark Reading. “There’s a false sense of security with these repos where companies say, ‘Hey, our repo is private, we’re OK,’ but all it takes is one account compromise and your secrets are exposed.”

While GitHub has implemented security features to help customers protect secrets, such as credentials, API keys, and encryption keys, McDaniel says organizations still expose sensitive data at an alarming rate. In GitGuardian’s 2025 “State of Secrets Sprawl” report, the company detected more than 23.7 million secrets contained in public commits in 2024, a sizeable increase from approximately 19 million secrets detected the previous year.

Related:Bridgestone Americas Confirms Cyberattack

“It’s something we’re seeing an increase in, unfortunately, not a decrease,” McDaniel says.

Salesloft Drift Attacks Expanding

Salesloft’s update follows several disclosures last week from Drift customers that had their Salesforce instances breached, including Zscaler, Proofpoint, Palo Alto Networks, and Cloudflare. While several companies said the UNC6395 actors obtained internal sales account data, contact information, and basic case data, Cloudflare disclosed that some customer support cases that were stored in Salesforce included configuration settings and 104 Cloudflare API tokens.

Cloudflare said it rotated the tokens as a precaution, even though no suspicious activity had been detected. McDaniel says it’s not surprising that some organizations are storing technical data like keys and credentials in Salesforce via customer support cases and tickets, as the use of Salesforce has greatly expanded over the years. “We find credentials in a lot of places outside the repos now, including Salesforce,” he says.

Related:Blast Radius of Salesloft Drift Attacks Remains Uncertain

More victims have emerged, including Tenable and Qualys, joining an already long list that includes technology companies Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. Salesloft said the campaign did not affect customers who don’t use the company’s Drift-Salesforce integration, but it’s unclear how many organizations were affected by the attacks. Cloudflare said in its disclosure that it was just one of “hundreds of other companies” targeted in the supply chain campaign.

As part of the response to the supply chain attack, Salesforce had disabled all integrations with Salesloft; but in a separate update on Sunday, Salesloft said integration between its platform and Salesforce had resumed.

“We are pleased to report that the integration between the Salesloft platform and Salesforce is now restored. Salesforce users can once again leverage the full capabilities and integrations of the Salesloft platform with confidence,” read the update.

However, in its own security advisory on Sunday, Salesforce said it has restored integrations with Salesloft products and technologies “with the exception of any Drift app.”

According to the advisory, “Drift will remain disabled until further notice as part of our continued response to the security incident.”

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Stay Ahead with the Latest Tech Trends

Stay informed on the revolutionary breakthroughs in Quantum Computing research.

Explore past and present digital transformations on the Internet Archive.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.