A March compromise of its GitHub account triggered a string of intrusions that enabling the attackers to steal one of Drift’s customer OAuth tokens — an authentication and authorization mechanism used to grant third-party applications permissions to use a user’s data without needing to access their password.
Those tokens were then used to get access to data from a few large customers, illustrating how a single foothold in source code and cloud automation can expand into a full-blown supply chain incident.
The company, drawing on Mandiant (a division of Google Cloud) data, said that intruders spent weeks inside its GitHub environment, performing reconnaissance, pulling content from a number of repositories, adding a guest user and creating workflows. Salesloft has since managed to contain the strains of the incident and reenable its Salesforce integration for Drift, but the aftermath here is a reminder of how archaic web and cloud services’ only universal method of identifying a user — the password — and the legacy JSON web token’s lack of encryption or time-limit make the scale at which token theft can lead to data breaches a problem the industry must actively address, not just one to cringe at and click away from.
How the GitHub breach happened
Attackers gained access to its GitHub account and then surreptitiously mapped systems before pivoting to cloud resources linked to Drift, according to an incident summary Salesloft posted. From the there, they could pull in OAuth tokens given to Drift’s customers — the same tiny authorization strings that are used to connect Drift/your sales and marketing/smarter and more streamlined, human outreach and messaging with your Salesforce/Sales-friendly Customer Success platform/Enterprise software.
Mandiant’s assessment reads like classic supply chain tradecraft: scope out the code, figure out the CI/CD workflows, spot secrets and automations, starting moving laterally. The monthS-long dwell time to detection raised uneasy questions around repository access tracking, identity hygiene and the rigor of alerting around both GitHub automations and guest account activity.
Why the OAuth token theft made things worse
OAuth tokens are supposed to enable one service to receive a user’s permission to act on her behalf without receiving her passwords. For enterprise stacks, that frequently means giving a chatbot or support tool scoped access to a CRM. If those tokens are stolen, the attacker gets whatever access they afford — all without a single phish.
Salesloft said the hackers used stolen tokens to infiltrate customer Salesforce instances and to steal data, such as the contents of support tickets. The attackers also seemed to be looking to search through sensitive credentials within that data, targeting things like AWS access keys account passwords and tokens related to Snowflake, prime elements of a deeper compromise of cloud and data platforms.
Victims and extent of the data
Those said to be affected by the breach by Salesloft include Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks and Tenable, though the complete victim list is still being evaluated. The data in question was specific to the customer whose data was exposed but the common denominator in both cases, was that CRM content and credentials were present in support artefacts – a familiar theme present in other supplier breaches too.
Google’s threat research team has seen this campaign and identified a group it calls UNC6395. Separately, coverage by DataBreaches. net and BleepingComputer has traced the activity back to ShinyHunters, a prolific crew that has stolen data and then asked for ransom. Victims have said in private outreach and in pressure tactics consistent with that playbook.
A long dwell time in a short-token world
Mandiant’s more recent M-Trends reporting puts median dwell time worldwide for detected intrusions at merely *days*, not months—so the dwell time described here is an outlier and will raise some eyebrows.
The longer there’s access to developer tooling, the higher the chances of secrets being exposed, poisoned automations and hidden token-minting or -reuse.
It shows, too, how GitHub, CI/CD and Cloud Identities are entwined. But gaps remain, as shown in a new wave of such attacks, if companies themselves fail to impose short-lived credentials, audit for unusual workflow deviations and aggressively restrict the apps that have the power to create or save tokens, despite GitHub’s easier-to-use default settings. Third-party exposure and compromised credentials remain routine elements in breaches and once again, while Verizon’s Data Breach Investigations Report demonstrates these continue to feature prominently in enterprise breaches, for this case, let’s call it both boxes checked.
What customers should do now
Salesloft says its investigation suggests the breach is contained, and that Drift’s Salesforce integration is now live again. Yet Drift customers should operate as if any OAuth token connected to Drift might have been subject to compromise, and take strong actions.
– Revoke and regenerate the OAuth tokens for Drift and any linked apps with the minimum permissions required.
– Review Salesforce Connected Apps, login history, and event monitoring for atypical API calls, bulk exports, or unauthorized access from unusual IP ranges.
– Rotate any credentials that may have been exposed through support tickets (such as AWS keys and Snowflake tokens) If you have these, review for unauthorized activity in CloudTrail, IAM Access Analyzer, and Snowflake login history.
– For GitHub and CI/CD: Require 2FA, restrict repository access, read audit logs for guest additions and workflow changes, and enable organization-wide secret scanning with push protection.
– Non-permanent access patterns: OAuth with short lifetime, and refresh rotation, federated roles for cloud access, automated credential expiration for support workflows.
The larger supply chain lesson
This breach fits with a larger pattern: attackers targeting the weakest point of entry into well-defended organizations by way of their vendors, developer platforms and support channels.
There have been industry-wide token rotations and more severe lockdowns after earlier events at both developer and CI services. The lesson is clear: Security programs need to invest the same rigor in chatbots, integrations, and ticketing systems that they do on the core identity and cloud infrastructure.
For Salesloft and Drift users, the first order of business now is containment and credential hygiene. For everyone else, the lesson is preventative: keep an eye on the code, keep an eye on the automations, and never take the “helper” app as a low-risk assumption. In today’s SaaS ecosystems, tokens are the keys, and keys deserve vault-grade protection.
