SalesLoft has revealed that a data breaches linked to the drift application started with a compromise on GitHub accounts.
Mandiant, owned by Google, which began investigating the incident, said the threat actor, tracked as UNC6395, accessed his SalesLoft GitHub account from March to June 2025. So far, 22 companies have confirmed that they have been affected by supply chain violations.
“This access allowed threat actors to download content from multiple repositories, add guest users, and establish workflows,” SalesLoft said in an updated advisory.
The investigation revealed reconnaissance activities that occurred in the SalesLoft and Drift application environments between March 2025 and June 2025. However, it emphasized that there was no evidence of activity beyond limited reconnaissance.
In the next phase, the attacker accessed the drifting Amazon Web Services (AWS) environment and used stolen OAuth tokens to access data via drifting integration to obtain the OAuth token for technology integration for drifting customers.
SalesLoft said it isolated its drift infrastructure, applications and code and acquired the application offline on September 5, 2025 at 6am ET. We also have reinforced the environment by rotating credentials in the SalesLoft environment and improved segmentation control between SalesLoft and Drift applications.
“All third-party applications that have been integrated with drift via API keys are encouraged to actively undo existing keys for these applications,” he added.
As of 5:51pm UTC on September 7, 2025, Salesforce has regained integration with the SalesLoft platform after a temporary suspension on August 28th. This was done in response to security measures and repair procedures implemented by SalesLoft.
“Salesforce allows you to reuse integrations with SalesLoft technology, except for drift apps,” Salesforce said. “As part of our ongoing response to security incidents, drift will be disabled until further notice.”
Source link
