Salesloft has confirmed that a security breach in its GitHub environment earlier this year was the starting point of a large-scale attack that later targeted Salesforce customers. This incident highlights how supply-chain vulnerabilities can escalate into widespread data theft, affecting some of the world’s largest tech organizations.
Between March and June 2025, attackers gained access to Salesloft’s GitHub repositories. During this time, they downloaded code, created unauthorized guest accounts, and set up rogue workflows. These actions gave attackers the initial foothold needed for a broader attack campaign.
The situation worsened when attackers moved into Drift’s AWS environment. Drift, Salesloft’s conversational marketing platform, integrates with Salesforce, Google Workspace, and other enterprise tools. By stealing OAuth tokens from Drift, the attackers were able to access Salesforce data across multiple organizations without needing passwords.
By August 2025, these stolen tokens were used to infiltrate Salesforce instances of multiple high-profile companies, including Google, Cloudflare, Zscaler, Workiva, Tenable, JFrog, Bugcrowd, Proofpoint, and Palo Alto Networks.
The attackers mainly targeted Salesforce support cases, which often contain sensitive information such as AWS keys, Snowflake access tokens, passwords, and other authentication data. Salesloft confirmed that the attackers’ primary goal was to harvest credentials and other secrets for potential further attacks.
This Salesloft–Drift breach directly connects to the incident I reported earlier in August 2025, where hackers used phone calls and social engineering to breach Google’s Salesforce instance. In that incident, attackers impersonated IT staff and used a malicious Data Loader application to steal business contact data. The stolen Drift OAuth tokens from the GitHub breach provided another vector to access similar Salesforce environments. It shows how multiple attack methods converged on the same target.
Additionally, the media hype around 2.5 billion Gmail accounts being at risk, which I clarified in a September 2025 report, was linked to a misinterpretation of this same attack. While OAuth tokens affected Google Workspace integrations, Gmail accounts themselves were never at risk.
Google’s Threat Intelligence Group attributed the attacks to UNC6395, but further investigation revealed involvement from the ShinyHunters extortion gang and actors claiming to be Scattered Spider. Attribution remains complex, but the incident demonstrates how multiple threat actors can exploit the same supply-chain weaknesses.
Salesloft, in collaboration with Mandiant, has rotated all exposed credentials and isolated Drift’s infrastructure. They have also conducted forensic threat hunting and restored Salesforce integration with strengthened security controls. Mandiant confirmed that there are no remaining indicators of compromise within Salesloft’s environment. Salesforce integrations have resumed, and customers have been guided on securely syncing their data.
This incident is a lesson for organizations. It confirms that OAuth tokens are powerful keys. Once compromised, they bypass traditional authentication methods like MFA. Any connected service is a potential attack vector, so third-party integrations require scrutiny. Businesses should understand that support tickets can be sensitive and may contain credentials, keys, or other secrets.
