Salesloft says a compromise of its GitHub account set off a supply‑chain attack that led to the theft of OAuth tokens and the subsequent exposure of customer data from its Drift platform, a chatbot and marketing automation product used by major enterprises.
What Salesloft says happened
According to findings by Mandiant, the company’s incident response partner, intruders accessed Salesloft’s GitHub environment and conducted reconnaissance over an extended period. During that time, the attackers pulled code and configuration content from multiple repositories, added a guest user, and stood up new workflows — moves consistent with laying groundwork for wider access and persistence.
Salesloft has characterized the incident as contained. The drawn‑out activity window, however, raises uncomfortable questions about monitoring coverage, alert fidelity, and the speed at which anomalous identity events — such as unexpected guest additions or workflow changes — are triaged inside modern DevOps pipelines.
From GitHub to Drift: how tokens became targets
Investigators say the GitHub foothold enabled access to the Amazon Web Services environment supporting Drift. From there, attackers stole OAuth tokens that customers use to connect Drift to systems like Salesforce and other business platforms. Because OAuth grants scoped API access without requiring a password at every step, stolen tokens can be replayed until revoked or expired — a powerful lever in a supply‑chain scenario.
This pattern fits a broader industry shift: adversaries increasingly harvest cloud and integration credentials rather than brute‑forcing front doors. In recent high‑profile incidents, abused OAuth tokens became the pivot point that turned a single vendor compromise into a multi‑customer problem.
Who was affected and what was taken
Salesloft said attackers used stolen tokens to access some customers’ Salesforce instances and extract data held in support tickets. While the specific impact varies by organization, the company noted that the actors sought credentials and other high‑value secrets, including AWS access keys, passwords, and Snowflake‑related tokens.
Organizations named among those targeted include Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, with more potentially to be identified as investigations proceed. Salesloft said its Salesforce integration has been restored following containment and token revocation steps.
Attribution and extortion claims
Google’s threat intelligence team attributed the broader campaign to a cluster it tracks as UNC6395. Separately, cybersecurity outlets DataBreaches.net and Bleeping Computer reported links to the ShinyHunters group, which is known for data theft and extortion. Victims have reportedly received private outreach from the attackers seeking payment, a pattern that has become commonplace as threat actors blend intrusion, data exfiltration, and pressure tactics.
Why the timeline matters
Extended dwell time inside a code hosting environment compounds risk: repositories may contain embedded secrets, CI/CD tokens, or workflow definitions that open doors elsewhere. IBM Security’s Cost of a Data Breach report has long warned that organizations often take roughly nine months on average to identify and contain breaches — a window that gives patient attackers plenty of room to move laterally and cover their tracks.
GitHub has strengthened its baseline protections — including mandatory two‑factor authentication for contributors, fine‑grained personal access tokens, and secret scanning alerts — but those controls only pay off when enterprises enable them broadly, monitor audit logs for anomalies, and limit token scopes and lifetimes.
What organizations should do now
For customers integrating with Drift or similar platforms, immediate steps include rotating all OAuth tokens and connected app credentials, reviewing Salesforce audit logs for suspicious API activity, and scrubbing support tickets for inadvertently stored secrets. Enforce least‑privilege scopes, short lifetimes, and automated revocation for all tokens.
On the engineering side, require SSO and phishing‑resistant MFA for GitHub, restrict guest access, and continuously monitor for new users, workflow edits, and repository exfiltration. Enable secret scanning at the organization level, scan CI/CD pipelines for hard‑coded credentials, and keep environment variables and cloud keys out of code. In cloud, rotate IAM keys, deploy anomaly detection for token use, and quarantine any credentials exposed in tickets or logs.
The Salesloft–Drift episode is a pointed reminder: when a vendor’s developer environment is the first domino, the blast radius can quickly reach customers’ core business systems. Hardening identity, shortening token lifetimes, and watching the seams between code, cloud, and SaaS are no longer nice‑to‑haves — they are the control points that decide whether a single compromise becomes an ecosystem‑wide breach.