Listen to this Post
Introduction
A shocking cybersecurity incident has shaken the business world, as attackers gained unauthorized access to Salesloft’s GitHub account and later exploited compromised OAuth tokens from Drift AI to steal massive amounts of data from Salesforce environments. This campaign, attributed to the threat actor group UNC6395, targeted hundreds of organizations, including some of the biggest names in cybersecurity. The breach has highlighted how a single weak link in the supply chain can cascade into widespread damage across multiple platforms and enterprises.
the Breach
Between March and June 2025, hackers infiltrated Salesloft’s GitHub account, where they secretly conducted reconnaissance, downloaded repositories, and even created guest accounts. This stealthy preparation paved the way for a much larger strike.
From August 8 to August 18, 2025, the attackers launched their full-scale campaign, exploiting compromised OAuth tokens from the Drift AI chatbot. These stolen tokens allowed them to export large datasets from Salesforce environments. The stolen information included AWS access keys, passwords, Snowflake tokens, and sensitive customer data.
Although initially believed to affect only Salesforce-Salesloft-Drift integrations, the attack spread further, impacting Google Workspace customers and other entities. In response, Salesforce swiftly disabled the Salesloft integration, while Drift temporarily went offline to reinforce its defenses. By September 7, the integration was restored, but confidence was already shaken.
Salesloft later clarified that the breach wasn’t due to Drift’s security flaws but instead to the earlier GitHub compromise. According to Mandiant’s forensic investigation, the attackers had infiltrated Salesloft’s and Drift’s environments, stolen OAuth tokens, and used them to exfiltrate valuable organizational data.
While Salesloft confirmed that the breach was contained and attackers removed, the scale of impact remains unclear. Estimates suggest around 700 companies may have been compromised. High-profile victims include Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, Tenable, CyberArk, BeyondTrust, PagerDuty, Rubrik, JFrog, Bugcrowd, and many others.
In many cases, the stolen Salesforce data included customer support records, names, emails, and phone numbers, posing severe privacy and trust concerns. Even Elastic admitted one of its email accounts was compromised through Drift Email. Other organizations like Heap, Nutanix, Sigma Computing, and Workiva also reported breaches.
This large-scale attack has become one of the most significant supply chain compromises of 2025, highlighting urgent gaps in cloud integrations, OAuth security, and GitHub repository protections.
What Undercode Say:
The Salesloft-Salesforce-Drift breach is not just another corporate cyberattack—it’s a lesson in modern digital warfare. Let’s break down its implications:
GitHub as the Achilles Heel
Attackers knew where to strike. By compromising Salesloft’s GitHub, they gained a silent backdoor to plant workflows, harvest data, and stage future attacks. GitHub, often overlooked, is now clearly a high-value target.
OAuth Tokens: The Golden Keys
Stolen OAuth tokens turned out to be the perfect attack vector. Unlike passwords, OAuth tokens grant persistent access across apps and integrations. Once stolen, they enabled hackers to move laterally across Salesforce and Drift ecosystems.
The Supply Chain Domino Effect
What began with Salesloft spread to Salesforce, Drift, and even Google Workspace. This domino effect reveals how deeply interconnected enterprise tools are, meaning one breach can ripple across an entire ecosystem.
High-Profile Targets, Bigger Consequences
This wasn’t a random hit on small firms. It directly struck some of the world’s biggest cybersecurity players—companies like Cloudflare and Palo Alto Networks that are supposed to be defenders of the digital world. This has shaken industry confidence and raised questions: if they’re vulnerable, who isn’t?
Economic and Trust Fallout
Beyond technical damage, this breach may cost millions in losses, legal battles, and regulatory scrutiny. Customer trust is shaken, especially as sensitive support data and personal identifiers were exposed.
Mandiant’s Role in Containment
The involvement of Mandiant highlights the scale of this breach. Containment was possible, but detection took months. The reality: attackers were already inside long before anyone noticed.
The Larger Pattern
This attack is part of a growing wave of supply chain compromises, echoing past incidents like SolarWinds and the Nx attack. Hackers are no longer breaching single targets—they’re hijacking integrations to maximize damage.
The Human Element
Behind every breach is human oversight—misconfigurations, poor repository security, or unchecked guest accounts. Cybersecurity is no longer just about firewalls; it’s about operational discipline.
The Harsh Truth
The Salesloft breach shows us one undeniable reality: no company, no matter how big, is immune. What matters now is response speed, transparency, and building resilience before the next inevitable wave.
Fact Checker Results ✅❌
✅ Attackers did compromise Salesloft’s GitHub account between March–June 2025.
✅ OAuth tokens from Drift AI were the main attack vector for Salesforce data theft.
❌ It was not a flaw in Drift itself but the GitHub breach that enabled the attack.
Prediction 🔮
The Salesloft-Salesforce breach will not be the last. In the coming months, we can expect:
Attackers to increasingly target GitHub and developer platforms for stealthy entry.
OAuth token abuse to become one of the most exploited weaknesses in cloud security.
More companies forced to rethink integration security and adopt zero-trust strategies before customers lose confidence altogether.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.securityweek.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
