Update: March Github Repo Breach Led to Salesforce Data Theft Attacks
Summary:
Salesloft has disclosed that the recent Salesforce data theft campaign tied to its Drift environments traces back to a GitHub breach earlier in 2025. Investigators found that attackers accessed Salesloft’s GitHub environment between March and June 2025, where they downloaded code, created rogue workflows, and added guest accounts. This intrusion laid the groundwork for a later compromise of Drift’s AWS environment, where the attackers stole OAuth tokens used for customer integrations. Those tokens were then exploited in August 2025 to infiltrate Salesforce instances and exfiltrate sensitive support case data. Stolen information included AWS keys, authentication tokens, passwords, and Snowflake access tokens. While the Salesforce theft itself was already known, this update confirms the GitHub breach as the initial entry point that enabled the broader supply-chain style attack. Attribution remains mixed, Google TAG linked the attack to UNC6395, but ShinyHunters and actors claiming affiliation with Scattered Spider have also been tied to the activity. Salesloft, assisted by Mandiant, has since rotated credentials, segmented its environments, and isolated Drift infrastructure. Salesforce integrations have been restored following precautionary suspension, and investigators believe the incident is now contained.
Security Officer Comments:
The campaign has impacted numerous corporate customers across the technology sector, and the number of affected organizations may continue to grow. This development confirms that the breach began months earlier than initially believed, with attackers exploiting a GitHub compromise as the first stage before moving to Drift and Salesforce. It highlights the increasing risk of attackers chaining weaknesses across developer environments, SaaS platforms, and cloud integrations to maximize impact. Mixed attribution suggests that stolen access or data may have been shared across multiple criminal groups, complicating response efforts.
Suggested Corrections:
Salesloft has provided important updates on its Trust Site:
Further mitigation guidance for the Salesforce/Drift campaign has already been published and should be reviewed here:
Link(s):
https://www.bleepingcomputer.com/ne...-breach-led-to-salesforce-data-theft-attacks/
Salesloft has disclosed that the recent Salesforce data theft campaign tied to its Drift environments traces back to a GitHub breach earlier in 2025. Investigators found that attackers accessed Salesloft’s GitHub environment between March and June 2025, where they downloaded code, created rogue workflows, and added guest accounts. This intrusion laid the groundwork for a later compromise of Drift’s AWS environment, where the attackers stole OAuth tokens used for customer integrations. Those tokens were then exploited in August 2025 to infiltrate Salesforce instances and exfiltrate sensitive support case data. Stolen information included AWS keys, authentication tokens, passwords, and Snowflake access tokens. While the Salesforce theft itself was already known, this update confirms the GitHub breach as the initial entry point that enabled the broader supply-chain style attack. Attribution remains mixed, Google TAG linked the attack to UNC6395, but ShinyHunters and actors claiming affiliation with Scattered Spider have also been tied to the activity. Salesloft, assisted by Mandiant, has since rotated credentials, segmented its environments, and isolated Drift infrastructure. Salesforce integrations have been restored following precautionary suspension, and investigators believe the incident is now contained.
Security Officer Comments:
The campaign has impacted numerous corporate customers across the technology sector, and the number of affected organizations may continue to grow. This development confirms that the breach began months earlier than initially believed, with attackers exploiting a GitHub compromise as the first stage before moving to Drift and Salesforce. It highlights the increasing risk of attackers chaining weaknesses across developer environments, SaaS platforms, and cloud integrations to maximize impact. Mixed attribution suggests that stolen access or data may have been shared across multiple criminal groups, complicating response efforts.
Suggested Corrections:
Salesloft has provided important updates on its Trust Site:
- September 7th: Salesloft has confirmed on its trust site that the Salesforce/Salesloft integration has been restored. Customers will need to complete a data reconciliation process with Salesloft’s Customer Success team before re-enabling sync. Detailed re-sync instructions are available in their help documentation.
- September 6th: Salesloft reported Mandiant’s findings that the initial GitHub breach occurred between March and June 2025, allowing attackers to download repository content, add a guest user, and create workflows. Reconnaissance was observed across Salesloft and Drift, but no evidence was found of compromise in the core Salesloft environment beyond that reconnaissance. The attackers later pivoted to Drift’s AWS environment to steal OAuth tokens, which were then used in the Salesforce data theft. Mandiant has validated containment and confirmed segmentation between Drift and Salesloft systems.
Further mitigation guidance for the Salesforce/Drift campaign has already been published and should be reviewed here:
- Google Cloud Threat Intelligence: Data theft from Salesforce instances via Salesloft Drift
- Unit42 Threat Brief: Compromised Salesforce instances
Link(s):
https://www.bleepingcomputer.com/ne...-breach-led-to-salesforce-data-theft-attacks/