In a significant cybersecurity incident, Salesloft’s GitHub account was compromised between March and June 2025, setting the stage for a widespread data theft campaign targeting Salesforce customers. This breach underscores the critical importance of securing development environments to prevent cascading security failures.
Timeline of the Breach
– March–June 2025: Unauthorized access to Salesloft’s GitHub repositories occurred.
– August 8–18, 2025: Attackers exploited compromised OAuth tokens from the Drift AI chatbot to extract substantial data from Salesforce environments.
– September 7, 2025: Salesforce reinstated the Salesloft integration after implementing enhanced security measures.
Details of the Attack
The threat actor, identified as UNC6395, infiltrated Salesloft’s GitHub account, enabling them to download multiple repositories, add unauthorized users, and establish malicious workflows. This access facilitated reconnaissance within Salesloft and Drift application environments, leading to unauthorized entry into Drift’s AWS instance and the exfiltration of OAuth tokens used for customer integrations.
Impact on Organizations
The campaign affected hundreds of organizations, including prominent cybersecurity firms such as Cloudflare, Palo Alto Networks, and Zscaler. The attackers focused on extracting sensitive information, including AWS access keys, passwords, and Snowflake-related access tokens. The breach’s scope expanded beyond entities using the Salesforce-Salesloft Drift integration, also impacting Google Workspace customers.
Response and Mitigation
In response to the breach, Salesforce disabled the Salesloft integration, and Drift temporarily took its services offline to bolster security. Salesloft, with assistance from Mandiant, conducted a thorough investigation, leading to the restoration of the Salesforce-Salesloft integration on September 7, 2025.
Lessons Learned
This incident highlights the necessity for organizations to secure their development environments rigorously. Implementing robust access controls, conducting regular security audits, and monitoring for unauthorized activities are essential steps to prevent similar breaches.
