Particle.news
Download on the App Store
10 ARTICLES
·
4w ago

Salesloft Traces Drift Data-Theft Campaign to March GitHub Breach

Salesforce has re-enabled Salesloft integrations after Mandiant verified containment, with Drift remaining offline.

Hand working at laptop computer illustrating cyber crime
Image
Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens
Image

Overview

  • Investigators say attackers accessed a Salesloft GitHub account from March to June, then reached Drift’s AWS environment and stole OAuth tokens used to query customer systems.
  • Stolen tokens were abused in August to access Salesforce instances and, in a small number of cases, Google Workspace accounts to exfiltrate support-case data and hunt for credentials and secrets.
  • Salesloft isolated the Drift application, took it offline for remediation, rotated credentials, and hardened segmentation, with Mandiant now focused on forensic quality assurance.
  • Tenable and Qualys disclosed limited exposure to Salesforce data and said their products were unaffected, joining a growing list that includes Cloudflare, Palo Alto Networks, Zscaler and others.
  • Google’s Threat Intelligence Group links the campaign to UNC6395, while public claims by ShinyHunters and a group styling itself Scattered Lapsus$ Hunters remain unconfirmed.