Salesloft GitHub Breach Triggered Cascade of Salesforce Data Thefts

A sophisticated supply-chain attack compromising Salesloft's development infrastructure led to the theft of sensitive OAuth tokens and subsequent data breaches across numerous high-profile Salesforce customers, according to forensic findings by Mandiant. The incident, initially disclosed in August 2025, traces back to a March breach of Salesloft's GitHub repositories—a critical entry point that enabled months of undetected reconnaissance and escalation.

The Attack Chain: From GitHub to Global Compromise

1. Initial Foothold (March-June 2025): Threat actors, identified as UNC6390 with links to ShinyHunters and Scattered Spider actors, breached Salesloft's GitHub environment. They downloaded proprietary code, added unauthorized user accounts, and created malicious workflows.
2. Reconnaissance & Escalation: Attackers pivoted to explore Salesloft and its Drift conversational marketing platform, culminating in a breach of Drift's AWS environment.
3. OAuth Token Theft: Access to Drift's AWS infrastructure allowed attackers to steal critical OAuth tokens. These tokens granted authenticated access to integrated platforms, primarily Salesforce and Google Workspace, across Salesloft's customer base.
4. Salesforce Data Harvesting (August 2025): Using the stolen tokens, attackers targeted Salesloft customers' Salesforce instances. Their primary focus? Support cases. As Salesloft warned:
   > "Initial findings have shown that the actor's primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens."
   Support tickets proved a goldmine, containing shared secrets, credentials, and authentication tokens inadvertently submitted by users.

Impact: A Who's Who of Tech Victims

The widespread theft of Drift OAuth tokens led to confirmed breaches at:
* Google
* Zscaler
* Cloudflare
* Workiva
* Tenable
* JFrog
* Bugcrowd
* Proofpoint
* Palo Alto Networks

...with the list potentially growing as investigations continue. The attack exemplifies the cascading risk of SaaS integrations; a compromise at one vendor (Salesloft/Drift) directly endangered the security posture of its enterprise clients.

Containment and Lingering Risks

Salesloft, aided by Mandiant, states it has:
* Rotated all compromised credentials
* Hardened network defenses
* Verified segmentation between Salesloft and Drift environments
* Conducted threat hunting with "no additional indicators of compromise" found

Mandiant has validated containment. Salesloft has also restored its Salesforce integration, releasing guidance for customers needing to resync data. While immediate access is severed, the incident underscores a harsh reality: stolen credentials and secrets from support cases provide attackers with potent ammunition for follow-on attacks long after the initial breach is contained. The security of development pipelines (GitHub) and the integrity of OAuth token management remain paramount vulnerabilities in the SaaS ecosystem.

Source: BleepingComputer (https://www.bleepingcomputer.com/news/security/salesloft-march-github-repo-breach-led-to-salesforce-data-theft-attacks/)