Salesloft has revealed that the info breach linked to its Drift software began with the compromise of its GitHub account.
Google-owned Mandiant, which started an investigation into the incident, mentioned the menace actor, tracked as UNC6395, accessed the Salesloft GitHub account from March by way of June 2025. To this point, 22 corporations have confirmed they have been impacted by a provide chain breach.
“With this entry, the menace actor was capable of obtain content material from a number of repositories, add a visitor person, and set up workflows,” Salesloft mentioned in an up to date advisory.
The investigation additionally uncovered reconnaissance actions occurring between March 2025 and June 2025 within the Salesloft and Drift software environments. Nonetheless, it emphasised there isn’t any proof of any exercise past restricted reconnaissance.
Within the subsequent section, the attackers accessed Drift’s Amazon Net Providers (AWS) atmosphere and obtained OAuth tokens for Drift clients’ expertise integrations, with the stolen OAuth tokens used to entry knowledge through Drift integrations.
Salesloft mentioned it has remoted the Drift infrastructure, software, and code, and taken the applying offline efficient September 5, 2025, at 6 a.m. ET. It has additionally rotated credentials within the Salesloft atmosphere and hardened the atmosphere with improved segmentation controls between Salesloft and Drift purposes.
“We’re recommending that every one third-party purposes built-in with Drift through API key, proactively revoke the present key for these purposes,” it added.
As of September 7, 2025 at 5:51 p.m. UTC, Salesforce has restored the mixing with the Salesloft platform after briefly suspending it on August 28. This has been carried out in response to safety measures and remediation steps applied by Salesloft.
“Salesforce has re-enabled integrations with Salesloft applied sciences, aside from any Drift app,” Salesforce mentioned. “Drift will stay disabled till additional discover as a part of our continued response to the safety incident.”
