Salesloft Links Drift Customer Data Theft to March GitHub Account Breach

Salesloft Attributes Drift Customer Data Theft to March GitHub Account Hack

Salesloft revealed that a security breach of its GitHub account in March facilitated a wider cyberattack targeting several prominent technology companies. The breach enabled hackers to steal authentication tokens, which were subsequently used to gain unauthorized access to customer data within Salesloft’s AI-driven marketing platform, Drift.

Investigation Uncovers Extended Reconnaissance

According to an investigation led by Google’s incident response team, Mandiant, the attackers accessed Salesloft’s GitHub account and conducted reconnaissance activities from March through June. This prolonged access allowed them to download repository content, add guest users, and establish automated workflows, raising concerns about the company’s security monitoring and detection capabilities given the six-month delay in identifying the intrusion.

OAuth Token Theft Enables Supply Chain Breach

Following the GitHub compromise, the hackers infiltrated Salesloft’s Amazon Web Services (AWS) environment supporting Drift. They extracted OAuth tokens used to authorize integrations between Drift and external platforms such as Salesforce. Exploiting these tokens, the threat actors accessed Salesforce instances of multiple Salesloft customers, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable. Many affected organizations remain undisclosed.

OAuth tokens facilitate secure connections between applications, but their theft can grant attackers extensive access to sensitive data. Salesloft confirmed that the attackers primarily sought credentials, including AWS access keys, passwords, and Snowflake access tokens, which are critical for cloud and data warehouse operations.

Attribution and Response

Google’s Threat Intelligence Group attributed the supply chain attack to UNC6395, a hacking group previously linked to sophisticated cyber espionage campaigns. Cybersecurity outlets DataBreaches.net and Bleeping Computer have reported that the prolific hacking group ShinyHunters may also be involved, reportedly attempting to extort victims through private communications.

Salesloft stated on August 26 that it had restored its Salesforce integration and that the incident is now contained. The company has not disclosed further remediation measures or whether any additional data exfiltration occurred.

Implications and Security Posture

This incident underscores the risks associated with compromised developer accounts and the critical need for robust monitoring of code repositories and cloud environments. The prolonged undetected access highlights challenges in detecting sophisticated attacks that exploit trusted internal systems and integrations.

Organizations using OAuth for application integrations should reassess token management and implement rigorous access controls to mitigate the risk of token theft leading to broader system compromise.