What Happened in the Salesloft Data Breach?
A major cybersecurity supply-chain incident involving the Atlanta-based company, Salesloft, was recently uncovered by Google’s Threat Intelligence Group, an attack that could have far-reaching consequences. Salesloft is the creator of a popular AI-powered sales engagement platform used by B2B sales teams. The attack can be traced to March of 2025, when attackers gained access to Salesloft’s GitHub account. Once the account was compromised, the attackers downloaded code repositories, added another user account, and manipulated automated workflows to give them a backdoor into the system. From there, the attackers then targeted Drift, a chatbot platform that integrated with Salesloft, and infiltrated Drift’s cloud environment.
The attackers’ major breakthrough came when they stole OAuth tokens used to integrate Drift with platforms like Salesforce, Slack, Google Workspace, and cloud storage. This allowed them to impersonate Drift and access customer environments within these environments without triggering alerts. They then used automated tools to extract large volumes of data from Salesforce over a ten-day period. The exfiltrated data included customer contact details, support case content, and even embedded credentials like AWS keys, API keys, passwords, and Snowflake tokens. This allowed them to not only steal data but also potentially gain access to other systems connected to those credentials. Over 700 organizations were affected by this attack, including Cloudflare, Nutanix, Palo Alto Networks, and Zscaler. The stolen data can now be used in future phishing, identity theft attacks, and secondary attacks.
What were the Indicators of Compromise (IoC) in the Salesloft Incident?
Salesloft detected suspicious activity within its Drift application on August 20 and urged customers to reauthenticate their integrations. The company worked in coordination with Salesforce to revoke all active Drift integration OAuth tokens and remove the Drift app from the Salesforce AppExchange. Google’s Threat Intelligence Group was then brought in, who then confirmed the OAuth tokens had been stolen and traced the attack to a group known as UNC6395
What were the Actions Taken to Remedy the Salesloft Breach?
Although the attackers deleted query jobs to hide their tracks, some logs remained intact for forensic analysis. All companies integrated with Drift were notified of the breach and have been encouraged to revoke and rotate credentials for all connected third-party apps and investigate their own systems for unauthorized access.
What Steps Can You Take to Prevent This Breach at Your Organization?
The Salesloft data breach is a clear example of how the compromise of a trusted vendor can quickly cascade across so many other connected businesses. Like many breaches, the attack was made possible by the compromise of a single account early on, in this case, a GitHub account. GitHub offers MFA for all its customers as an additional authentication layer. It is a simple measure that makes account compromise much more difficult.
The attack also illustrates the importance of enforcing the principle of least privilege (PoLP) for all sensitive data such as OAuth tokens. Too often, organizations default to overly permissive cloud configurations that create unnecessary attack surface and expose high-value assets to compromise. The weak token governance could have been strengthened through just-in-time access controls, which significantly reduce the window of opportunity for abuse. Additionally, many companies that integrated the Drift chatbot neglected to properly restrict its permissions within their environments.
Security monitoring needs to be implemented to flag suspicious activity such as anomalous API usage, bulk downloads, account creations, or unapproved third-party access in real time. Organizations must also actively review the monitoring practices of all integrated supply chain vendors to ensure end-to-end visibility and effective early warning across their ecosystem.
