GitHub Account Compromise Leads to Data Breach at Salesloft, Impacting 22 Companies
In a development that underscores the vulnerabilities in software supply chains, Salesloft has disclosed that a significant data breach associated with its Drift application originated from the compromise of its GitHub account. This incident was investigated by Mandiant, a cybersecurity firm owned by Google, which traced the unauthorized access to a threat actor designated as UNC6395. The compromise reportedly spanned from March to June 2025, although the precise method by which the attackers infiltrated the GitHub account remains uncertain.
The breach has affected a total of 22 companies, which have confirmed their involvement in this supply chain incident. According to Salesloft’s updated advisory, the intruders exploited their access to download content from various repositories, introduce guest users, and establish workflows within the organization’s systems. This degree of access raises serious concerns about the integrity of supply chains and the security protocols in place for managing sensitive data.
The investigation conducted by Mandiant not only highlighted the illegal access but also revealed reconnaissance activities within the Salesloft and Drift application environments during the same timeframe. Although the findings indicate that the threat actor was primarily engaged in exploratory actions, the lack of evidence for malicious data exfiltration or further intrusion is a small consolation in an already troubling scenario.
As the investigation moves forward, it has been noted that the attackers eventually gained access to Drift’s infrastructure on Amazon Web Services (AWS), suggesting a continuation of their campaign beyond initial reconnaissance efforts. This escalation exemplifies a potential pivot to more impactful tactics, raising alarm for organizations reliant on cloud services.
From a cybersecurity perspective, multiple tactics and techniques from the MITRE ATT&CK Matrix appear pertinent in understanding this breach. The initial access likely involved exploiting a weak point in account security, which aligns with tactics like credential dumping or phishing. The creation of guest accounts speaks to persistence techniques that enable continued control over compromised environments. Moreover, the broader implications of privilege escalation cannot be overlooked, particularly in a supply chain context where access to sensitive data and resources can yield far-reaching consequences.
As organizations increasingly adopt interconnected technologies, the necessity for stringent security protocols cannot be overstated. Salesloft’s incident serves as a critical reminder of the need for robust security measures to mitigate risks associated with supply chain vulnerabilities. For business owners, this breach highlights the importance of regularly auditing access controls, implementing multi-factor authentication, and ensuring that security frameworks are continuously updated in response to evolving threats.
The fallout from this breach is likely to extend beyond immediate concerns, as companies reassess their security postures in the face of growing cyber threats. The lessons learned here may very well shape best practices for protecting not only core operations but also the broader ecosystem of partners and clients involved in their supply chains.