Recent data breaches have raised concerns about security within popular applications, particularly the use of the Salesloft Drift application to compromise Salesforce data. In an important update, Salesloft has reported that the security incident has been addressed, with containment measures and customer protections now in effect.
To investigate the breach, Salesloft enlisted the help of Mandiant, a cybersecurity firm owned by Google, beginning on August 28. The investigation aimed to uncover the root cause of the breach, evaluate the extent of the damage, and ensure the integrity of Salesloft’s core systems.
Initial Access through GitHub
According to an advisory released by Salesloft today, the investigation revealed that the adversary initially accessed a Salesloft GitHub account between March and June 2025. During this timeframe, the attacker downloaded data from several private repositories, created a guest user, and established new workflows. Additionally, reconnaissance activities were detected within both the Salesloft and Drift environments, although investigators found no signs of the attacker penetrating the core Salesloft infrastructure.
The attacker eventually redirected their focus to the AWS environment of Drift, where they obtained OAuth tokens belonging to Drift customers. These tokens were subsequently exploited to gain unauthorized access to customer data via integrated applications.
Containment Actions Taken
Salesloft has taken swift action to contain the incident. Key measures included the rotation of affected credentials in the Drift application and within Salesloft’s own infrastructure as a precaution. The company also isolated Drift’s infrastructure and took the service offline, while reinforcing its defenses against the techniques observed during the attack. Proactive threat hunting across Salesloft’s infrastructure confirmed no additional signs of compromise, further validating the effectiveness of the containment steps. Mandiant has confirmed that technical segmentation between the Drift and Salesloft platforms significantly limited the attacker’s reach.
Broader Industry Impact
This breach is not confined to Drift; it is part of a broader coordinated campaign that targeted Salesforce integrations across multiple organizations in August, as reported by Google’s Threat Intelligence Group and Mandiant. Affected companies include Zscaler, Palo Alto Networks, PagerDuty, and others, with data concerning their Salesforce environments compromised through the exploited OAuth tokens. The exposed information primarily consisted of business contact details such as names, email addresses, job titles, and phone numbers.
While the investigation is ongoing, Google has linked the threat actor group known as UNC6395 to the attack. Additionally, a faction called the “Scattered Lapsus$ Hunters” has publicly claimed responsibility, although this remains unconfirmed by investigators.
Current Situation
With containment measures successfully enacted, Mandiant’s role has now transitioned to conducting forensic quality assurance to validate the findings and ensure the stability of both affected environments. Salesloft has emphasized that while the Drift application was compromised, its core application environment remained secure, confined to reconnaissance activities. As the situation unfolds, business leaders must be vigilant in understanding the specific threats highlighted by this incident and reinforce their cybersecurity strategies accordingly.
