Particle.news

Download on the App Store

Salesloft Traces Drift Data-Theft Campaign to March GitHub Breach

Salesforce has re-enabled Salesloft integrations after Mandiant verified containment, with Drift remaining offline.

Overview

  • Investigators say attackers accessed a Salesloft GitHub account from March to June, then reached Drift’s AWS environment and stole OAuth tokens used to query customer systems.
  • Stolen tokens were abused in August to access Salesforce instances and, in a small number of cases, Google Workspace accounts to exfiltrate support-case data and hunt for credentials and secrets.
  • Salesloft isolated the Drift application, took it offline for remediation, rotated credentials, and hardened segmentation, with Mandiant now focused on forensic quality assurance.
  • Tenable and Qualys disclosed limited exposure to Salesforce data and said their products were unaffected, joining a growing list that includes Cloudflare, Palo Alto Networks, Zscaler and others.
  • Google’s Threat Intelligence Group links the campaign to UNC6395, while public claims by ShinyHunters and a group styling itself Scattered Lapsus$ Hunters remain unconfirmed.