Full Report
The hacker spent months performing reconnaissance activities on both Salesloft application environments as well as those for Drift, an AI chatbot company that Salesloft acquired last year.
Analysis Summary
# Incident Report: Salesloft/Drift Supply Chain Compromise via GitHub
## Executive Summary
A threat actor compromised a Salesloft GitHub account in March 2025, leading to substantial unauthorized access and data exfiltration spanning several months. The breach leveraged the compromised GitHub access to target the infrastructure of Drift (recently acquired by Salesloft), specifically accessing and stealing OAuth authentication tokens for customer technology integrations, potentially impacting dozens of large organizations across sectors. Salesloft contained the incident by isolating Drift infrastructure and resetting credentials, but the long dwell time allowed comprehensive reconnaissance and data theft.
## Incident Details
- Discovery Date: Prior to the public announcement in early September 2025 (Investigation transitioned to forensic quality assurance review).
- Incident Date: March 2025 (When initial breach occurred).
- Affected Organization: Salesloft (Impact extended to customers of Salesloft and its subsidiary, Drift).
- Sector: Technology/Software as a Service (SaaS)
- Geography: Not specified, but impacts global customers.
## Timeline of Events
### Initial Access
- Date/Time: March 2025
- Vector: Compromised Salesloft GitHub account.
- Details: Threat actor gained access to a Salesloft GitHub account, allowing them to download content from multiple repositories, add a guest user, and establish workflows.
### Lateral Movement
- Date/Time: March to June 2025 (Dwell Time)
- Details: The threat actor used the GitHub access to perform reconnaissance activities on both Salesloft application environments and the infrastructure of Drift (Salesloft subsidiary). This access extended to Drift’s AWS environment.
### Data Exfiltration/Impact
- Date/Time: March to June 2025
- Details: The attacker stole authentication tokens for customer technology integrations linked to the Drift tool (which integrates with Salesforce). This enabled access to customer data, primarily related to support tickets, customer business contact details (names, emails, phone numbers, location), and potentially sensitive information shared in support contexts (logs, tokens, passwords).
### Detection & Response
- Date/Time: Discovery occurred prior to early September 2025.
- Details: Incident responders at Mandiant conducted an investigation. Response actions included isolating Drift’s infrastructure, taking it offline temporarily, and changing the stolen credentials. The connection between the Salesloft platform and Salesforce was temporarily severed and later restored.
## Attack Methodology
- Initial Access: Compromised GitHub account credentials/session.
- Persistence: Adding a guest user and establishing workflows within the compromised GitHub environment allowed prolonged access and automation.
- Privilege Escalation: Not explicitly detailed, but accessing the Drift AWS environment suggests elevated permissions or leveraging integration permissions.
- Defense Evasion: Long dwell time (March to June) suggests the activity went largely unnoticed pending external investigation.
- Credential Access: Theft of OAuth authentication tokens for customer technology integrations.
- Discovery: Extensive reconnaissance activities targeting both Salesloft and Drift application environments.
- Lateral Movement: Movement leveraged access granted through the compromised GitHub account to reach the Drift AWS environment and subsequently access customer integration tokens.
- Collection: Gathering business contact details and support ticket information.
- Exfiltration: Implied by the theft of integration tokens and subsequent data access.
- Impact: Unauthorized access to customer data via stolen integration tokens.
## Impact Assessment
- Financial: Not disclosed, but significant costs associated with incident response (Mandiant engagement) and customer notification.
- Data Breach: Customer records including business contact details, support ticket data. Some victims confirmed breach of highly sensitive PII/SI numbers (e.g., Wealthsimple customers). Estimated at least 700 victims known via stolen Salesforce Salesloft Drift oAuth tokens.
- Operational: Initial severance of the Drift/Salesforce integration caused operational disruption.
- Reputational: Significant reputational damage given the large, high-profile customer base affected (e.g., Cloudflare, Zscaler, Palo Alto Networks).
## Indicators of Compromise
- Network indicators: Not explicitly listed (defanged).
- File indicators: Not explicitly listed.
- Behavioral indicators: Addition of a guest user to a GitHub organization; establishment of new workflows within GitHub; access to Drift AWS environment; use of stolen OAuth tokens for customer integration access.
## Response Actions
- Containment measures:
- Isolating Drift’s infrastructure.
- Temporarily taking Drift infrastructure offline.
- Changing the stolen credentials/tokens.
- Severing the connection between Salesloft and Salesforce initially.
- Eradication steps: (Implied through credential changes and infrastructure isolation).
- Recovery actions: Restoring the integration between the Salesloft platform and Salesforce following investigation milestones.
## Lessons Learned
- **Supply Chain Risk:** The compromise of a third-party vendor (Salesloft/Drift) effectively served as a supply chain attack vector against dozens of downstream clients.
- **Non-Human Identity Security:** The incident highlights a critical blind spot in securing non-human identities, specifically API tokens and service accounts (OAuth tokens), which were used as the primary target for data access.
- **Dwell Time:** The attacker maintained access for approximately three months (March to June), indicating significant gaps in perimeter and anomaly detection necessary to spot internal account misuse or infrastructure reconnaissance.
## Recommendations
- Implement rigorous Multi-Factor Authentication (MFA) across all developer platforms (e.g., GitHub).
- Immediately inventory and establish strict governance policies for all Non-Human Identities (API keys, service accounts, OAuth tokens), including automated rotation policies.
- Conduct comprehensive security reviews of recently acquired subsidiaries (like Drift) and their integration points immediately following acquisition.
- Increase monitoring sensitivity for unusual activity tied to developer accounts or integration service permissions, particularly file downloads or new user creation via developer interfaces.