Full Report
There’s an update to the Salesloft+Drift portal with results from the Mandiant Drift and Salesloft application investigations: Mandiant’s investigation has determined the threat actor took the following actions: In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories,... Source
Analysis Summary
# Incident Report: Salesloft and Drift Application Compromise (2025)
## Executive Summary
Between March and June 2025, a threat actor gained access to the Salesloft GitHub account, allowing them to download repository content and upload guest user artifacts. The actor then pivoted to Drift’s AWS environment, stealing customer OAuth tokens. This allowed them to access customer data via connected Drift integrations before the incident was contained through extensive isolation, credential rotation, and hardening efforts validated by Mandiant.
## Incident Details
- Discovery Date: Not explicitly stated, investigation ongoing between March and June 2025.
- Incident Date: March 2025 – June 2025 (Active compromise window)
- Affected Organization: Salesloft and Drift (as related SaaS applications)
- Sector: Software as a Service (SaaS) / Marketing Technology
- Geography: Not specified (assumed global customer base)
## Timeline of Events
### Initial Access
- Date/Time: Starting March 2025
- Vector: Compromise of Salesloft GitHub account.
- Details: Threat actor accessed the Salesloft GitHub account, enabling them to download repository content, add a guest user, and establish workflows, likely through compromised credentials or a vulnerability within the access mechanism.
### Lateral Movement
- Date/Time: Following GitHub access (March - June 2025)
- Vector: Pivot to Drift's AWS environment.
- Details: After accessing Salesloft resources, the threat actor accessed Drift’s AWS environment. This led to the compromise of OAuth tokens belonging to Drift customers' technology integrations.
### Data Exfiltration/Impact
- Date/Time: Ongoing during the compromise window.
- Vector: Use of stolen OAuth tokens.
- Details: The threat actor used the exfiltrated OAuth tokens to access data stored within the integration paths connected to the Drift application environment. Reconnaissance was noted across both Salesloft and Drift application environments.
### Detection & Response
- Date/Time: Updates provided as of September 6, 2025.
- Vector: Internal investigation validated by Mandiant.
- Details: Response involved immediate containment, credential rotation, and threat hunting. The Drift application was taken offline temporarily as a containment measure.
## Attack Methodology
- Initial Access: Compromise of Salesloft GitHub account.
- Persistence: Not explicitly detailed, but likely involved established workflows/guest users in GitHub and continued access via stolen AWS/OAuth credentials in the Drift environment.
- Privilege Escalation: Not explicitly detailed, but gaining access to Drift's AWS environment and customer OAuth tokens suggests escalation or privileged access within the cloud infrastructure.
- Defense Evasion: Not detailed, but activities occurred over several months (March-June 2025) without immediate discovery.
- Credential Access: Theft or compromise of credentials leading to access to the Salesloft GitHub account and subsequent OAuth tokens for Drift customers.
- Discovery: Reconnaissance activities were explicitly noted occurring between March 2025 and June 2025 in both application environments.
- Lateral Movement: Moving from Salesloft GitHub access to Drift's AWS environment.
- Collection: Downloading content from GitHub repositories and accessing customer data via compromised OAuth tokens.
- Exfiltration: Data access via stolen customer integration OAuth tokens.
- Impact: Unauthorized access to sensitive data within connected customer integrations.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Access to data via Drift customer integrations using stolen OAuth tokens. The scope is related to connected customer technologies. Limited evidence of deep compromise within the Salesloft application environment beyond reconnaissance.
- Operational: The Drift Application was temporarily taken offline as part of containment measures.
- Reputational: Significant public interest due to the nature of the multi-stage compromise involving two SaaS providers.
## Indicators of Compromise
*Note: Indicators are reported as per the findings, without defanging based on the source material's context unless specific malicious IPs/URLs were present.*
- Network indicators: Not published in the provided update snippet.
- File indicators: Not published in the provided update snippet.
- Behavioral indicators:
- Addition of a guest user within Salesloft GitHub.
- Establishment of workflows within Salesloft GitHub.
- Existence of reconnaissance activities in Salesloft and Drift environments (March–June 2025).
- Use of stolen OAuth tokens to access data through Drift integrations.
## Response Actions
- **Containment:**
- Isolated and contained the entire Drift infrastructure, application, and code.
- Temporarily took the Drift Application offline.
- Rotated all impacted credentials across environments.
- **Eradication:**
- Performed proactive threat hunting in the Salesloft environment, finding no additional IOCs.
- Rapidly hardened the Salesloft environment against known attack methods.
- Conducted threat hunting across Salesloft infrastructure based on Mandiant intelligence (IOC analysis, analysis of activity related to compromised credentials, and activity circumventing security controls).
- **Recovery:**
- Mandiant verified technical segmentation between Salesloft and Drift applications and infrastructure.
- Incident declared contained following verification.
## Lessons Learned
- The attack demonstrated the risk inherent in interconnected SaaS environments if a single upstream compromise (like a developer tool such as GitHub) can be leveraged to pivot into a separate, yet related, cloud infrastructure (Drift's AWS).
- The investigation confirmed technical segmentation between the Salesloft and Drift application environments post-incident.
- Initial compromise (GitHub access) was potentially deeper than initially understood, allowing for sustained access and reconnaissance over months.
## Recommendations
- Immediately review and enforce stronger Multi-Factor Authentication (MFA) policies universally, especially for development repositories like GitHub.
- Implement strict controls and periodic auditing on third-party access (guest users) within code repositories.
- Review cloud security posture, specifically concerning the protection and rotation lifecycle of short-lived credentials like customer OAuth tokens, possibly implementing stricter scope limitations.
- Enhance proactive threat hunting capabilities to detect reconnaissance activities earlier across interconnected application environments.