Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account.
Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. It’s currently not known how the digital intruders gained access to the GitHub account. So far, 22 companies have confirmed they were impacted by a supply chain breach.
“With this access, the threat actor was able to download content from multiple repositories, add a guest user, and establish workflows,” Salesloft said in an updated advisory.
The investigation also uncovered reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. However, it emphasized there is no evidence of any activity beyond limited reconnaissance.
In the next phase, the attackers accessed Drift’s Amazon Web Services (AWS) environment and obtained OAuth tokens for Drift customers’ technology integrations, with the stolen OAuth tokens used to access data via Drift integrations.
Salesloft said it has isolated the Drift infrastructure, application, and code, and taken the application offline effective September 5, 2025, at 6 a.m. ET. It has also rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications.
“We are recommending that all third-party applications integrated with Drift via API key, proactively revoke the existing key for these applications,” it added.
As of September 7, 2025, at 5:51 p.m. UTC, Salesforce has restored the integration with the Salesloft platform after temporarily suspending it on August 28. This has been done in response to security measures and remediation steps implemented by Salesloft.
“Salesforce has re-enabled integrations with Salesloft technologies, with the exception of any Drift app,” Salesforce said. “Drift will remain disabled until further notice as part of our continued response to the security incident.”
