Salesloft says a March compromise of its GitHub account set off a chain of intrusions that let attackers steal customer OAuth tokens from Drift, the AI chatbot and marketing platform it owns. Those tokens were later used to access data from several large customers, underscoring how a single foothold in source code and cloud automation can ripple into a full-blown supply chain incident.
The company, citing findings from Mandiant (part of Google Cloud), said the intruders spent weeks inside its GitHub environment conducting reconnaissance, pulling content from multiple repositories, adding a guest user, and setting up workflows. Salesloft has since contained the incident and restored its Salesforce integration for Drift, but the fallout illustrates the outsized impact of token theft at scale.
How the GitHub breach unfolded
According to Salesloft’s incident summary, the attackers gained access to its GitHub account and quietly mapped systems before pivoting to cloud resources tied to Drift. From there, they were able to obtain OAuth tokens issued to Drift customers—the same short strings of authorization that power trusted integrations between Drift, Salesforce, and other enterprise platforms.
Mandiant’s assessment describes typical supply chain tradecraft: study the code, understand CI/CD workflows, identify secrets and automations, then move laterally. The months-long dwell time before detection raises uncomfortable questions about repository access monitoring, identity hygiene, and the rigor of alerting around GitHub automations and guest account activity.
Why OAuth token theft magnified the impact
OAuth tokens are designed to let one service act on a user’s behalf without handing over passwords. In enterprise stacks, that often means granting a chatbot or support tool scoped access to a CRM. If those tokens are stolen, attackers inherit whatever access they convey—no phishing required.
Salesloft said the intruders used purloined tokens to access customer Salesforce instances and extract data, including contents of support tickets. The actors also appeared to hunt for sensitive credentials within that data, focusing on items like AWS access keys, account passwords, and Snowflake-related tokens—prime ingredients for deeper compromise across cloud and data platforms.
Known victims and the scope of data
Organizations named by Salesloft as affected include Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, with the full victim list still being assessed. The specific data varied by customer, but the common thread is CRM content and credentials embedded in support artifacts—an all-too-familiar pattern seen in other supplier breaches.
Google’s threat intelligence team has attributed the campaign to a group tracked as UNC6395. Separately, coverage by DataBreaches.net and BleepingComputer has linked the activity to ShinyHunters, a prolific crew known for data theft and extortion. Victims have reported private outreach and pressure tactics consistent with that playbook.
A long dwell time in a short-token world
Mandiant’s recent M-Trends reporting places median global dwell time for detected intrusions at just days, not months—meaning the persistence described here is an outlier that will draw scrutiny. Extended access to developer tooling increases the odds of secret exposure, poisoned automations, and unnoticed token minting or reuse.
The incident also shows how GitHub, CI/CD, and cloud identities are inseparable. Even with GitHub’s two-factor authentication push for active contributors and widespread adoption of secret scanning, gaps remain if organizations don’t enforce short-lived credentials, monitor for unusual workflow changes, and aggressively restrict which apps can create or store tokens. Verizon’s Data Breach Investigations Report continues to highlight third-party exposure and stolen credentials as dominant factors in enterprise breaches—this case checks both boxes.
What customers should do now
Salesloft says the intrusion is contained and Drift’s Salesforce integration is back online. Still, customers should assume any OAuth token tied to Drift could have been at risk and take decisive steps.
– Revoke and reissue OAuth tokens for Drift and any connected apps; enforce the minimum scopes necessary.
– Audit Salesforce Connected Apps, login history, and event monitoring for anomalous API activity, bulk exports, or access from unfamiliar IP ranges.
– Rotate any credentials that may appear in support tickets, including AWS keys and Snowflake tokens; review CloudTrail, IAM Access Analyzer, and Snowflake login history for suspicious use.
– In GitHub and CI/CD, mandate 2FA, restrict repository access, review audit logs for guest additions and workflow changes, and enable organization-wide secret scanning with push protection.
– Implement short-lived access patterns: OAuth with brief lifetimes and refresh rotation, federated roles for cloud access, and automated credential expiry for support workflows.
The bigger supply chain lesson
This breach aligns with a broader trend: attackers following the path of least resistance into well-defended enterprises by compromising suppliers, developer platforms, and support channels. Previous incidents at developer and CI providers have prompted industry-wide token rotations and tighter controls. The takeaway is clear—security programs must treat chatbots, integrations, and ticketing systems with the same rigor applied to core identity and cloud infrastructure.
For Salesloft and Drift customers, the immediate priority is containment and credential hygiene. For everyone else, the message is preventive: watch the code, watch the automations, and never assume a “helper” app is low risk. In modern SaaS ecosystems, tokens are keys—and keys deserve vault-grade protection.