Clement Brako Akomea Table of Contents
Salesloft Drift Data Breach began when a Salesloft GitHub account was compromised, giving the tracked threat actor UNC6395 access from March through June 2025 and leading to a supply-chain incident that impacted 22 companies. You need to treat this as a supply-chain attack that started in source control rather than in the application layer alone.
The attacker downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance in both Salesloft and Drift environments occurred between March 2025 and June 2025.
The adversary later accessed Drift’s AWS environment and obtained OAuth tokens for customer integrations, which were then used to access data via Drift integrations.
The investigation by Mandiant found reconnaissance activity but no evidence of activity beyond limited reconnaissance to date; you should treat that as a positive signal while remaining cautious about potential downstream misuse of exposed tokens or repo contents.
Salesloft has taken decisive containment steps: it isolated Drift infrastructure, application, and code and took the Drift application offline on September 5, 2025 at 6:00 a.m. ET. The company also rotated credentials within its environment and hardened segmentation controls between Salesloft and Drift.
Salesloft recommends that all third-party applications integrated with Drift via API key proactively revoke existing keys. If you integrate with Drift, you should revoke API keys and OAuth tokens now, audit integration scopes, and rotate any credentials that may have been exposed.
Salesforce restored its integration with the Salesloft platform on September 7, 2025 at 5:51 p.m. UTC after temporarily suspending it on August 28, but Salesforce will not re-enable any Drift app—Drift remains disabled until further notice.
If you use Salesloft or Drift, act immediately: revoke API keys and OAuth tokens, rotate credentials, audit logs for unusual access, and verify vendor remediation. Prioritize integrations that rely on Drift tokens and treat any exposed tokens as compromised until you can validate otherwise.
Techniques of the Intrusion: Accessing GitHub Repositories
You learn that the Salesloft GitHub account was compromised by UNC6395 between March and June 2025, enabling the actor to download content from multiple repositories, add a guest user, and establish workflows, actions that set the stage for the Salesloft Drift Data Breach and exposed development artifacts you rely on for integrations.
Reconnaissance and Data Extraction: A Closer Look at the Attack Path
You see reconnaissance activity in Salesloft and Drift environments from March–June 2025, after which attackers moved into Drift’s AWS, obtained OAuth tokens for Drift customers, and used those tokens to access data via integrations; this chain of events impacted 22 companies in the supply chain breach.
You should understand the progression: code and repo access enabled cloud pivoting, allowing token theft and lateral access to customer data; in response Salesloft has isolated Drift and taken the application offline on Sept 5, 2025, rotated credentials, hardened segmentation, and recommends you revoke existing API keys for third‑party apps while Salesforce has re‑enabled most integrations (Drift remains disabled).
Identifying Affected Clients: The Rippling Effects on 22 Companies
In the Salesloft Drift Data Breach, you learn that a compromised GitHub account allowed the threat actor tracked as UNC6395 to operate from March through June 2025, resulting in confirmed impacts on 22 companies.
You should check whether your systems used Drift OAuth tokens or API keys, since stolen tokens were used to access customer data via Drift integrations.
Initial Responses from Salesloft and Drift: Immediate Measures Taken
Salesloft reports it has isolated the Drift infrastructure, taken the application offline (effective Sept 5, 2025 at 6 a.m. ET), and rotated credentials while hardening segmentation between applications. You are being advised to revoke existing API keys for third‑party Drift integrations; Salesforce restored most integrations by Sept 7, 2025 but Drift remains disabled pending further remediation.
During Mandiant’s investigation you see the attacker accessed Salesloft’s GitHub from March–June 2025, downloaded repository content, added a guest user, and established workflows, then moved to Drift’s AWS to obtain OAuth tokens used to retrieve data via integrations, impacting 22 companies.
Salesloft has isolated Drift, taken the app offline, rotated credentials, improved segmentation, and is urging you to proactively revoke API keys; Salesforce re‑enabled most Salesloft integrations on Sept 7, 2025 (5:51 p.m. UTC) while Drift remains disabled.
Isolation and Application Remediation: Steps Taken Post-Incident
After the Salesloft Drift Data Breach began with a GitHub compromise, Salesloft isolated the Drift infrastructure and application and took the app offline on Sept 5, 2025; it also rotated credentials, hardened segmentation controls, and suspended integrations. You should revoke API keys for third‑party apps, verify OAuth token revocations, and follow the advisory. Mandiant found UNC6395 accessed repos from March to June 2025 and obtained OAuth tokens used to access integrations.
Long-Term Security Enhancement Plans: Future-proofing Against Threats
Salesloft is adopting stronger segmentation, continuous monitoring, and stricter GitHub and CI/CD controls so you face fewer exposure points; you can expect forced token rotation, enhanced vendor vetting, and regular audits after the incident that impacted 22 companies.
These steps aim to reduce lateral movement and limit token misuse that enabled the Salesloft Drift Data Breach.
To future‑proof your environment, Salesloft will enforce least‑privilege access, require MFA and hardened GitHub/AWS access, implement ephemeral OAuth tokens and automated secret rotation, and run continuous dependency and supply‑chain scans guided by Mandiant’s findings about UNC6395’s March–June 2025 reconnaissance. You should expect tighter vendor controls, regular penetration testing, and clear token‑lifecycle policies so a stolen token cannot be reused; note that Drift remains disabled while integrations were partially restored on Sept 7, 2025, and the attack’s most dangerous element was the exfiltration of OAuth tokens used to access customer data.
The Importance of GitHub Security: Protecting Code Repositories
When your GitHub is compromised, as in the GitHub account compromise that triggered the Salesloft Drift Data Breach, an attacker like UNC6395 can access repositories for months (March–June 2025), download code, add guest users, and create malicious workflows. You must enforce MFA, rotate tokens, limit repo access, and segment CI/CD pipelines to prevent workflow abuse and reduce supply‑chain exposure.
Navigating Third-Party Integrations: Safeguarding API Access
You need to treat integrations as high-risk: attackers moved from GitHub into Drift’s AWS and exfiltrated OAuth tokens, enabling access across 22 impacted companies. Salesloft recommends you revoke existing API keys and rotate credentials for apps integrated via Drift; audit permissions, enforce least privilege, and monitor token use to prevent lateral access.
For deeper protection, you should immediately revoke and rotate OAuth tokens and API keys, adopt short‑lived tokens with granular scopes, and require explicit app approvals and MFA for service accounts. Instrument logging and anomaly detection for token activity, isolate third‑party access with strict network segmentation, and coordinate remediation with vendors—Salesloft’s decision to isolate Drift and take it offline on Sep 5, 2025, then rotate credentials, shows how isolation plus hardening limits damage while Salesforce’s partial restore on Sep 7, 2025 highlights the need for vendor alignment.
Final Words
To wrap up, the Salesloft Drift Data Breach started with a compromised GitHub account that led to stolen OAuth tokens and impacts to 22 companies; you should revoke and rotate API keys, audit your integrations, enforce stricter segmentation, and monitor logs while Salesloft and partners continue remediation and restore services responsibly.
