Overview

• Salesloft said an intruder accessed a company GitHub account between March and June, downloaded private repositories, added a guest user, created workflows, and later harvested Drift customer OAuth tokens from AWS.
• Those tokens were abused primarily in August to access Salesforce instances for support-case text and business contact details, with investigators warning the data was searched for credentials such as AWS keys and Snowflake tokens.
• Salesloft reported the incident is contained after rotating credentials, isolating and briefly taking Drift offline, hardening systems, restoring the Salesforce integration, and engaging Mandiant on August 28 for investigation and forensic quality assurance.
• Tenable and Qualys disclosed limited unauthorized access to information stored in their Salesforce environments, disabled the Drift app, revoked or rotated integrations, and said their products and services were unaffected.
• Google’s Threat Intelligence Group linked the campaign to UNC6395 and noted a small number of Google Workspace email accounts were accessed on August 9 using stolen tokens, while separate public claims of responsibility remain unconfirmed.