Unauthorized Access to Salesloft Drift: Investigation Unveils Entry Strategies of Hackers

Unauthorized Access to Salesloft Drift: Investigation Unveils Entry Strategies of Hackers

In a concerning turn of events, Salesloft and Drift, two popular sales engagement platforms, have been the victims of a cyberattack. The attack, attributed to UNC6395, a known threat group by Google Threat Intelligence Group, was initiated by the compromise of Salesloft's GitHub account.

The investigation into the breach revealed that the attackers targeted sensitive access credentials such as AWS access keys, passwords, and Snowflake-related access tokens. They conducted reconnaissance activities in the Salesloft and Drift application environments from March 2025 to June 2025.

During this period, the threat actor managed to access the Salesloft GitHub account, downloading content from multiple repositories, adding a guest user, and establishing workflows. However, the analysis did not find evidence beyond limited reconnaissance related to the Salesloft application environment.

The threat actor also gained access to Drift's AWS environment, obtaining OAuth tokens for Drift customers' technology integrations, and using them to access the customers' Salesforce instances. This action raised significant concerns about the potential exfiltration of customer data.

Salesloft announced the data breach on August 26, stating that it involved the exfiltration of customer data from Salesloft's Salesforce instances. The company has been working with Mandiant to discover and eradicate the attackers' presence from the Drift and Salesloft application environments, harden them, and check for evidence of compromise across Salesloot's infrastructure and technologies.

Salesforce has also engaged Mandiant to investigate the compromise of the Drift platform and its technology integrations. The findings support that the incident has been contained, and the integration between the Salesloft platform and Salesforce has been restored.

Several other organizations, including Cloudflare, Zscaler, Palo Alto Networks, Elastic, Bugcrowd, and others, have confirmed the data theft. Google Threat Intelligence Group stated that the attackers were after sensitive access credentials that may be included in support tickets sent to organizations by their customers.

The reaction of the companies to the data breach, in terms of preventing misuse of customer secrets, is yet to be determined. It is crucial for both Salesloft and Drift, as well as the affected customers, to take immediate steps to secure their data and protect their systems.

Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments. The details about how the attackers gained access to the Salesloft GitHub account were not disclosed.

As the investigation continues, it is essential for all parties involved to remain vigilant and proactive in safeguarding their digital assets. The cybersecurity community will continue to monitor the situation closely.

Read also:

• Oxidative Stress in Sperm Abnormalities: Impact of Reactive Oxygen Species (ROS) on Sperm Harm
• Is it possible to receive the hepatitis B vaccine more than once?
• Transgender Individuals and Menopause: A Question of Occurrence?
• Genetically manipulated rabbits sprout ominous black horns on their heads