Full Report
The company said a threat actor accessed and snooped around its account for months, then stole OAuth tokens for Drift integrations from its cloud environment. The post Salesloft Drift security incident started with undetected GitHub access appeared first on CyberScoop.
Analysis Summary
# Incident Report: Salesloft Drift Supply-Chain Compromise via Undetected GitHub Access
## Executive Summary
A threat actor (tracked as UNC6395) gained persistent, undetected access to Salesloft's GitHub account as early as March, leading to a widespread supply-chain compromise involving the integrated Drift application. Attackers lurked within the environment before gaining access to Drift's AWS environment, stealing OAuth tokens used to access and exfiltrate data from hundreds of downstream organizations integrating with Drift. Salesloft has taken significant steps to contain the incident, including taking Drift offline, but full transparency regarding the initial access vector and token acquisition method remains pending investigation by Mandiant.
## Incident Details
- **Discovery Date:** "Last month" (relative to September 8, 2025 update). Initial access was far earlier.
- **Incident Date:** Initial unauthorized access as far back as March (2025). Significant compromise activity occurred over a 10-day period in mid-August.
- **Affected Organization:** Salesloft (impacting customers using the integrated **Drift** application).
- **Sector:** Software/SaaS (Supply Chain attack vector).
- **Geography:** Undisclosed, but impacting hundreds of organizations globally.
## Timeline of Events
### Initial Access
- **Date/Time:** As early as March (2025).
- **Vector:** Compromise of the Salesloft GitHub account.
- **Details:** The method used to compromise GitHub was not disclosed by Salesloft.
### Lateral Movement
- **Date/Time:** Over a "monthslong period through June."
- **Details:** The threat group accessed and snooped around the Salesloft application environment, downloaded content from multiple repositories, added a guest user, and set up access workflows. Indicators suggest movement from GitHub to the Drift AWS environment was achieved.
### Data Exfiltration/Impact
- **Date/Time:** Significant activity during a 10-day period in mid-August.
- **Details:** Threat actor accessed Drift’s Amazon Web Services (AWS) environment and stole OAuth tokens for Drift customers’ technology integrations. These stolen tokens were used to access and steal data via Drift integrations across hundreds of organizations.
### Detection & Response
- **How it was discovered:** First alerted by Google security researchers regarding a widespread data theft campaign.
- **Response actions taken:** Salesloft took Drift offline temporarily on Friday to secure the application/infrastructure. They rotated all centrally managed keys for associated OAuth users.
## Attack Methodology
- **Initial Access:** Compromise of Salesloft's GitHub account (exact method unknown).
- **Persistence:** Threat actor maintained presence over several months, adding a guest user and setting up workflows within the Salesloft application environment.
- **Privilege Escalation:** Not explicitly detailed, but access to specific repositories and the ability to reach the Drift AWS environment implies escalating privileges or exploiting existing tokens/permissions.
- **Defense Evasion:** The initial access and subsequent activities spanning months went undetected until external notification.
- **Credential Access:** Stole OAuth tokens for Drift integrations from the Drift AWS environment.
- **Discovery:** Threat actor snooped around the Salesloft application environment and downloaded content from multiple repositories.
- **Lateral Movement:** Movement from the compromised Salesloft environment to the Drift AWS cloud environment.
- **Collection:** Downloaded content from multiple repositories; stole customer integration OAuth tokens.
- **Exfiltration:** Used stolen OAuth tokens to access and steal data via customer integrations.
- **Impact:** Supply-chain compromise affecting hundreds of downstream customers integrated with Drift.
## Impact Assessment
- **Financial:** Not disclosed, but significant costs related to incident response (Mandiant engagement) and business disruption.
- **Data Breach:** Data stolen via customer integration access mechanisms (OAuth tokens). Scope impacted "hundreds of organizations." Affected types of data are not fully specified but likely include data accessible through the integration pathways.
- **Operational:** Salesloft took the Drift application offline temporarily; Salesloft platform confirmed uncompromised but restored Salesforce connections later. Uncertainty remains regarding when Drift will be fully restored.
- **Reputational:** Significant reputational damage to the Drift product, with analysts suggesting a potential product rename may be necessary. Initial miscommunication regarding the scope also damaged trust.
## Indicators of Compromise
*(Note: Specific indicators were not provided in the text, only high-level attack details.)*
- **Network indicators:** Not specified (defanged).
- **File indicators:** Not specified.
- **Behavioral indicators:** Addition of a guest user in the Salesloft environment; configuration of new workflows over several months.
## Response Actions
- **Containment:** Took the Drift application offline temporarily to fortify security. Boxed in the Drift environment and rotated centrally managed keys for OAuth users.
- **Eradication:** Rotation of keys/credentials was a key step.
- **Recovery:** The Salesloft platform (separate from Drift) was confirmed uncompromised and restored connections with Salesforce. Restoration timeline for Drift is unknown. Customers were instructed to revoke existing API keys directly with third-party providers where applicable.
## Lessons Learned
- The lack of security controls allowed a threat actor to maintain persistence in the GitHub and application environment for months without detection.
- Failure to adequately secure highly sensitive credentials (OAuth tokens) within the AWS cloud environment represented a critical security lapse.
- Initial communication regarding the scope of the breach was misleading, harming stakeholder trust.
## Recommendations
- Immediately conduct a comprehensive forensic audit of all third-party and SaaS development platforms (like GitHub) used for code and configuration management to ensure robust multi-factor authentication and monitoring.
- Review and drastically limit the permissions associated with stored OAuth tokens in cloud environments; tokens should be stored in secure vaults, not left accessible in cloud storage utilized by applications.
- Develop and enforce clearer, more transparent communication protocols for disclosing supply-chain incidents, even when primary details are pending forensic confirmation.
- Re-architect the Drift application/infrastructure security posture, as suggested by analysts, given the profound breach of trust associated with the product.