Particle.news
Download on the App Store
10 ARTICLES
·
4d ago

Salesloft Traces Drift Breach to March GitHub Hack as Salesforce Integration Reopens

Mandiant reports the intruders stole Drift OAuth tokens to trawl customer Salesforce support cases for credentials.

Hand working at laptop computer illustrating cyber crime
Image
Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens
Image

Overview

  • Salesloft says attackers accessed its GitHub account from March to June, downloading private repo code, adding a guest user, and creating rogue workflows.
  • Investigators found the actor later reached Drift’s AWS environment, stole OAuth tokens, and in August used them to query customers’ Salesforce instances and, in a few cases, Google Workspace.
  • Mandiant verified containment and technical segmentation between Salesloft and Drift, Salesforce re-enabled Salesloft integrations on September 7, and the Drift app remains disabled or offline.
  • Tenable and Qualys disclosed limited exposure involving Salesforce support-case data and said they disabled the Drift integration and rotated or revoked related credentials.
  • Google’s Threat Intelligence Group links the campaign to UNC6395, while separate claims by groups including ShinyHunters remain unconfirmed by investigators.