Overview
- Investigators say attackers accessed a Salesloft GitHub account from March to June, then reached Drift’s AWS environment and stole OAuth tokens used to query customer systems.
- Stolen tokens were abused in August to access Salesforce instances and, in a small number of cases, Google Workspace accounts to exfiltrate support-case data and hunt for credentials and secrets.
- Salesloft isolated the Drift application, took it offline for remediation, rotated credentials, and hardened segmentation, with Mandiant now focused on forensic quality assurance.
- Tenable and Qualys disclosed limited exposure to Salesforce data and said their products were unaffected, joining a growing list that includes Cloudflare, Palo Alto Networks, Zscaler and others.
- Google’s Threat Intelligence Group links the campaign to UNC6395, while public claims by ShinyHunters and a group styling itself Scattered Lapsus$ Hunters remain unconfirmed.