330/68 Tuesday, September 9, 2025
On August 28, 2025, cybersecurity firm Mandiant disclosed findings from its investigation into a data leak involving the Drift application. The probe revealed that hackers had compromised Salesloft’s GitHub account between March and June 2025, during which they downloaded data from private repositories, added guest users, and created new workflows. The attackers then shifted focus to Drift’s AWS environment, where they stole OAuth tokens belonging to Drift customers, later using them to access data from platforms integrated with Salesforce.
Salesloft stated that upon discovering the incident, it took immediate containment measures, including rotating affected credentials, revoking Drift integrations, isolating the Drift application and infrastructure from core systems, and conducting proactive threat hunting-which found no evidence of further compromise. Mandiant confirmed that Salesloft’s core systems were only affected by reconnaissance activity and were not breached.
The Google Threat Intelligence Group (GTIG) and Mandiant further revealed that this campaign is part of a large-scale supply chain attack targeting multiple Salesforce integrations. The majority of the stolen data consisted of business contact information such as names, emails, phone numbers, and job titles. The investigation is ongoing, with GTIG attributing the campaign to the UNC6395 threat group, while a group calling itself “Scattered Lapsus$ Hunters” has claimed responsibility—though this has not yet been verified.
Source https://hackread.com/salesloft-drift-breach-github-compromise-oauth-tokens/
