Salesloft has confirmed that a recent data breach, which affected its Drift application, began with the compromise of its GitHub account. The threat actor, identified as UNC6395, was able to access the account from March through June 2025. It is still unclear how the attackers gained initial access, but once inside, they downloaded content from multiple repositories, created a guest user, and set up malicious workflows. The breach has so far impacted at least 22 companies.
During the same period, investigators discovered that the attackers performed reconnaissance within the Salesloft and Drift application environments. While this activity was limited, it set the stage for the next phase of the attack. Following this reconnaissance, the threat actors accessed Drift’s Amazon Web Services (AWS) environment. From there, they were able to steal OAuth tokens used for technology integrations with Drift customers. These stolen tokens were then used to access customer data through those integrations.
In response to the attack, Salesloft has taken decisive action. The company isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. They have also rotated credentials within the Salesloft environment and strengthened its security by improving segmentation controls between the Salesloft and Drift applications. To help other companies protect themselves, Salesloft is recommending that all third-party applications integrated with Drift via API keys proactively revoke those existing keys.
As a direct result of Salesloft’s remediation efforts, Salesforce has begun restoring integrations with the Salesloft platform. On August 28, Salesforce had temporarily suspended these integrations, but they were re-enabled on September 7, 2025, after a review of the security measures Salesloft implemented. However, Salesforce has noted that Drift applications will remain disabled until further notice as part of their continued response to the incident.
The full extent of the breach is still being investigated, but the focus remains on the initial compromise of the GitHub account. This incident highlights the critical importance of securing development environments and the potential for a single point of failure to cascade into a widespread supply chain attack. As companies continue to integrate more third-party applications, this event serves as a stark reminder of the need for robust security protocols and quick, transparent communication in the face of a cyber incident.
Reference:
