A major security failure at Salesloft has resulted in a widespread supply chain attack. The company confirmed that a breach of its GitHub account in March allowed unauthorized actors to steal authentication tokens, which were subsequently weaponized to infiltrate high-profile Big Tech clients.
Months of Undetected Intrusion
According to an investigation by Google’s Mandiant incident response unit, hackers gained access to Salesloft’s GitHub environment and maintained a presence from March through June. During this window, the attackers performed reconnaissance, downloaded content from multiple repositories, added a malicious guest user, and established persistent workflows.
The six-month delay between the initial intrusion and its detection has sparked significant scrutiny regarding Salesloft’s internal security posture. While the company claims the incident is now “contained,” the long-term impact on its customer base remains a critical concern.
The Drift Connection and OAuth Exploitation
The breach escalated when the intruders leveraged the compromised GitHub account to access the Amazon Web Services (AWS) environment of Drift, a chatbot-powered marketing platform owned by Salesloft. This access enabled the theft of OAuth tokens belonging to Drift customers.
By hijacking these tokens, the attackers bypassed standard security measures to infiltrate sensitive Salesforce instances. The primary objective, as identified by Salesloft, was the exfiltration of credentials, including AWS access keys, passwords, and Snowflake-related tokens.
Impact on Global Enterprises
The scope of the attack is extensive, affecting numerous high-profile organizations. Confirmed victims include:
- Bugcrowd
- Cloudflare
- Proofpoint
- Palo Alto Networks
- Tenable
The list of impacted entities continues to grow, with many victims likely still unidentified. Google’s Threat Intelligence Group, which formally disclosed the breach in late August, attributes the operation to the threat actor group UNC6395.
Attribution and Extortion Tactics
Cybersecurity researchers at DataBreaches.net and Bleeping Computer have linked the campaign to the prolific hacking collective known as ShinyHunters. Reports indicate the group is actively attempting to extort victimized organizations through private communications.
Salesloft confirmed on Sunday that its integration with Salesforce has been restored, though the incident serves as a stark reminder of the vulnerabilities inherent in interconnected enterprise software ecosystems.