Salesloft has disclosed that a breach of its GitHub account earlier this year allowed hackers to steal authentication tokens, which were later used in a widespread supply-chain attack impacting several major technology companies. The incident, which took place between March and June, was uncovered following an investigation by Google’s incident response unit, Mandiant.
According to Salesloft’s data breach disclosure, the attackers gained access to the company’s GitHub account and conducted reconnaissance activities for months, allowing them to “download content from multiple repositories, add a guest user and establish workflows.” The company acknowledged that it took roughly six months to detect the intrusion — a timeline that raises fresh concerns about its security practices.
Salesloft stated that the breach has now been “contained.” However, after compromising its GitHub account, the attackers pivoted to Salesloft’s Amazon Web Services environment, targeting its AI-powered marketing platform Drift. There, they stole OAuth tokens belonging to Drift customers. OAuth, a widely used authorization standard, enables one app to securely connect with another — such as allowing Drift to integrate with platforms like Salesforce.
Using the stolen tokens, the threat actors were able to breach several Salesloft customers, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable. The full extent of the affected customer base remains unknown. Google’s Threat Intelligence Group publicly disclosed the breach in late August, attributing the campaign to a group it tracks as UNC6395.
Cybersecurity outlets DataBreaches.net and Bleeping Computer have reported that the perpetrators are likely ShinyHunters, a prolific hacking group known for data theft and extortion campaigns. Reports indicate the hackers are contacting some of the victims directly in an attempt to extort them.
Salesloft’s August 26 update detailed the attackers’ goals: “The actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.” By accessing Salesforce instances tied to affected customers, the hackers exfiltrated sensitive data stored in support tickets.
Salesloft has since restored its integration with Salesforce, assuring customers that its systems are now secure. The incident highlights the growing risk of supply-chain attacks targeting developer tools and cloud environments, with ripple effects across multiple enterprises.
