Full Report
Salesloft says attackers first breached its GitHub account in March, leading to the theft of Drift OAuth tokens later used in widespread Salesforce data theft attacks in August. [...]
Analysis Summary
# Incident Report: Salesloft GitHub Breach Leading to Salesforce Data Theft
## Executive Summary
A sophisticated multi-stage intrusion began in March 2025 when attackers compromised Salesloft's GitHub repositories, allowing them to harvest code and establish a foothold. This initial breach escalated in August when threat actors leveraged credentials stolen via the compromised repository to breach Drift's AWS environment, subsequently stealing OAuth tokens. These tokens were then used to conduct widespread supply-chain attacks, targeting Salesloft customers' Salesforce instances to exfiltrate sensitive support data, including credentials and secrets.
## Incident Details
- **Discovery Date:** August 21, 2025 (Initial disclosure of malicious exploitation in Drift application)
- **Incident Date:** Initial access occurred between March and June 2025 (GitHub breach); Exploitation escalated in August 2025.
- **Affected Organization:** Salesloft (and its integration partner, Drift), impacting numerous high-profile customers (e.g., Google, Zscaler, Cloudflare).
- **Sector:** Sales Engagement Platform / SaaS
- **Geography:** Not explicitly stated, but affects globally integrated SaaS customers.
## Timeline of Events
### Initial Access
- **Date/Time:** Between March and June 2025
- **Vector:** Compromise of Salesloft's GitHub account and repositories.
- **Details:** Threat actors gained access, downloaded code, added guest user accounts, and created rogue workflows within the GitHub environment.
### Lateral Movement
- **Date/Time:** Following the initial GitHub access and leading up to August.
- **Vector:** Escalation from the GitHub breach to Drift's AWS environment.
- **Details:** Attackers performed reconnaissance across Salesloft and Drift environments. The key lateral action was breaching Drift's AWS environment, which allowed them to steal OAuth tokens central to the supply chain attack.
### Data Exfiltration/Impact
- **Date/Time:** Primarily August 2025.
- **Vector:** Use of stolen OAuth tokens targeting customer Salesforce instances via the Salesloft/Drift integration.
- **Details:** Threat actors focused on stealing support cases from customer Salesforce environments. The primary objective was to harvest sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens found within support tickets.
### Detection & Response
- **Date/Time:** Detected/Disclosed starting August 21, 2025.
- **Vector:** The malicious exploitation of OAuth tokens was identified, leading to the disclosure.
- **Details:** Salesloft suspended the Salesloft/Salesforce integration as a precautionary measure. Mandiant was engaged to assist with response and forensics.
## Attack Methodology
- **Initial Access:** Compromise of source code repository (GitHub).
- **Persistence:** Establishing rogue guest user accounts and workflows within the compromised GitHub environment.
- **Privilege Escalation:** Exploiting trust relationships or finding credentials/secrets within downloaded code or later reconnaissance to access the Drift AWS environment.
- **Defense Evasion:** (Not detailed, but implied by the sustained access across multiple environments from March to August).
- **Credential Access:** Harvesting credentials and secrets (AWS keys, passwords, tokens) from customer support cases within Salesforce.
- **Discovery:** Reconnaissance activities performed within Salesloft and Drift environments between March and June.
- **Lateral Movement:** Moving from the GitHub compromise, escalating to compromise of the Drift AWS environment.
- **Collection:** Targeting Salesloft customer support cases within Salesforce, which contained valuable secrets.
- **Exfiltration:** Utilizing stolen OAuth tokens to pull data from connected Salesforce instances.
- **Impact:** Theft of sensitive authentication material and secrets from dozens of customer organizations.
## Impact Assessment
- **Financial:** Not disclosed, but significant costs associated with remediation and incident response (Mandiant engagement).
- **Data Breach:** Theft of highly sensitive customer data, including AWS access keys, passwords, and authentication tokens inadvertently shared in Salesforce support tickets. Impacts numerous organizations including Google, Zscaler, and Cloudflare.
- **Operational:** Precautionary suspension of the critical Salesloft integration with Salesforce, disrupting customer outreach and sales pipelines until integration was restored.
- **Reputational:** Significant reputational damage due to the supply-chain nature of the breach affecting key industry partners.
## Indicators of Compromise
*Note: Specific IoCs were not detailed in the provided text, but related artifacts include:*
- **Network indicators:** Traffic associated with data exfiltration from customer Salesforce instances via compromised OAuth tokens (Defanged examples: `hxxp://malicious-exfil-domain[.]com`).
- **File indicators:** Rogue guest user accounts or malicious workflows created within Salesloft's GitHub environment.
- **Behavioral indicators:** Unusual access patterns or data retrieval operations originating from the compromised Drift AWS environment against trusted third-party integrations (Salesforce).
## Response Actions
- **Containment measures:** Precautionary suspension of the Salesloft integration with Salesforce. Remediation guidance provided to affected customers.
- **Eradication steps:** Salesloft rotated credentials and hardened defenses. Mandiant conducted threat hunting to verify removal, confirming the threat actor no longer had a foothold.
- **Recovery actions:** Segmentation validation between Salesloft and Drift infrastructure. Restoration of the Salesloft integration with Salesforce after forensic quality assurance review.
## Lessons Learned
- **Key takeaways:** Supply-chain risks are amplified when integration tokens (like OAuth tokens) are centralized or stored within cloud environments that can be compromised via source code repositories. The timeline indicates a prolonged dwell time (March to August) spanning reconnaissance and privilege escalation.
- **What could have been done better:** Stricter segmentation and zero-trust principles between interconnected services (Salesloft/Drift) were likely insufficient, enabling the escalation from GitHub access to the AWS environment, which stored the critical tokens.
## Recommendations
- **Prevention measures for similar incidents:** Implement mandatory multi-factor authentication (MFA) on all critical development accounts (e.g., GitHub admins). Apply strict secrets management policies to prevent credentials (AWS keys, tokens) from appearing in source code repositories or support tickets. Enforce rigorous segmentation between distinct organizational environments, even within a tight integration ecosystem. Review and reduce the scope/lifespan of application OAuth tokens used for cross-platform access.