Salesloft has confirmed that a recent data breach affecting its Drift application began with the compromise of its GitHub account.
According to an investigation by Mandiant, a threat actor tracked as UNC6395 had access to the Salesloft GitHub account from March to June 2025. During this time, the attacker downloaded content from multiple repositories, added a guest user, and established malicious workflows.
The investigation also found that the attackers conducted reconnaissance on the Salesloft and Drift application environments. They then gained access to Drift's Amazon Web Services (AWS) environment, where they stole OAuth tokens for customer integrations. These stolen tokens were used to access data from 22 confirmed impacted companies.
In response, Salesloft has taken the Drift application offline and isolated its infrastructure. The company has also rotated credentials and implemented improved security controls between the Salesloft and Drift applications.
As a precaution, the company recommends that all customers with third-party applications integrated with Drift via API key should proactively revoke their keys. Salesforce temporarily disabled its integration with Salesloft but has since restored it for all applications except for Drift, which will remain offline.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
