Salesloft has confirmed that the recent breach impacting its Drift application was triggered by the compromise of its GitHub account, which opened the door for a wider supply chain attack.
Breach Details
According to Google-owned Mandiant, which is handling the investigation, the attackers, identified as UNC6395, gained unauthorized access to Salesloft’s GitHub account between March and June 2025. As a result, 22 companies have been affected by the incident.
With this access, the intruder managed to download code from multiple repositories, add a guest user, and configure automated workflows. Salesloft’s advisory highlighted that while the attackers carried out reconnaissance in both the Salesloft and Drift environments, no evidence points to malicious activity beyond this stage.
AWS and OAuth Token Exposure
The attackers advanced further by breaching Drift’s AWS environment, where they extracted OAuth tokens linked to Drift customers. These stolen tokens could be used to access sensitive data through Drift’s technology integrations.
In response, Salesloft has taken Drift’s infrastructure and application offline as of September 5, 2025, 6 a.m. ET. The company has also rotated its credentials and implemented stronger segmentation controls to separate Salesloft and Drift environments.
Security Recommendations and Salesforce Response
Salesloft has urged all third-party services integrated with Drift to revoke and regenerate their API keys as a precautionary measure.
Meanwhile, Salesforce, which had suspended its integration with Salesloft on August 28, re-enabled it on September 7, 2025, after verifying the company’s remediation efforts. However, Salesforce clarified that Drift integrations will remain disabled until further notice as part of the ongoing security response.
