At least a dozen major cybersecurity vendors, including Tenable, Proofpoint, and CyberArk, have confirmed exposure in the latest high-impact supply chain breach originating from a compromise of Salesloft’s GitHub account earlier this year. The campaign, which remained undetected for months, allowed threat actors to gain access to OAuth tokens used by Drift, a Salesloft-owned chatbot platform integrated with Salesforce.

The attackers leveraged stolen tokens to gain access to Salesforce instances at multiple organizations, extracting sensitive customer metadata, case information, and potentially authentication credentials. The breach is being tied to a hacking group tracked by Google’s Mandiant division as UNC6395—with some reports attributing the activity to the infamous ShinyHunters.

Timeline of the Breach

• March 2025: Threat actors gain access to Salesloft’s GitHub repositories.
• March–June 2025: The attackers perform reconnaissance, plant backdoors, and extract Drift OAuth tokens.
• August 8–18, 2025: OAuth tokens are used to access Salesforce data at customer organizations.
• August 26, 2025: Google’s Threat Intelligence Group publicly discloses the campaign.
• September 5–8, 2025: Major vendors confirm breaches via public advisories.

What Happened?

According to a disclosure by Salesloft, attackers accessed their GitHub account and established rogue workflows that enabled lateral access to Amazon Web Services (AWS) and the Drift application. From there, attackers extracted valid OAuth tokens tied to Drift’s integrations with Salesforce.

Drift is widely used across enterprise environments for automating sales and support communications. Its integration with Salesforce grants programmatic access to sensitive case data, user metadata, and contact information.

Salesloft says that the attack path is now contained, but damage to customer trust may continue to ripple for months.

Who Was Impacted?

At the time of writing, the following cybersecurity vendors have disclosed breaches related to the Drift-Salesloft campaign:

🔸 Proofpoint

• Disclosure Date: September 5, 2025
• Impacted Data: Names, business email addresses tied to Salesforce case objects
• Severity: Limited, no access to message content or attachments
• Status: No internal infrastructure compromised

“An unauthorized actor accessed our Salesforce tenant through the compromised Drift integration,” the company said.
— Proofpoint official statement

🔸 Tenable

• Disclosure Date: September 6, 2025
• Impacted Data: Contact details, case subject lines, and case summaries
• Severity: No compromise of Tenable platforms or product data
• Action Taken: Drift integration disabled, affected tokens revoked

🔸 CyberArk

• Disclosure Date: September 6, 2025
• Impacted Data: Business contact metadata and summary fields
• Severity: Products and services unaffected
• Ongoing: Internal forensics continue, customers being notified

Additional organizations named in relation to this campaign (either by press reports or Google’s disclosure) include:

• Palo Alto Networks
• Cloudflare
• Zscaler
• Rubrik
• BeyondTrust
• Cato Networks
• Bugcrowd
• Google itself

Some of these companies have not publicly confirmed exposure but are believed to have been affected through Salesforce integrations.

The Attack Vector: OAuth Token Abuse

The breach is a textbook example of supply chain risk magnified by token-based trust.

OAuth tokens are widely used to authenticate third-party applications like Drift with platforms like Salesforce. If not properly rotated or scoped, these tokens can grant persistent, invisible access to data—even if passwords are changed or 2FA is enforced.

“OAuth is both a blessing and a curse. It enables seamless integrations but opens dangerous blind spots when security hygiene is poor,” says a CISO at a Fortune 100 bank, speaking on background.

Google recommends treating all OAuth tokens linked to Drift as compromised.

Attribution: Who’s Behind It?

Google’s Threat Intelligence Group has attributed the attack to UNC6395, a group they assess with medium confidence to be part of a larger criminal or nation-state syndicate.

Separately, cybercrime reporting site DataBreaches.net and Bleeping Computer have cited sources linking the breach to ShinyHunters, a prolific data extortion group known for leaking troves of stolen credentials and PII on Telegram and hacking forums.

The motive appears to be twofold:

1. Credential theft (AWS keys, admin credentials)
2. Data extortion (via direct outreach to victim companies)

Security and Legal Fallout

The breach has ignited fresh scrutiny over how vendors secure third-party integrations and token workflows—especially those involving sensitive customer data.

Salesloft’s delayed response has drawn criticism across the industry. Although the intrusion began in March 2025, it wasn’t publicly disclosed until late August, and many impacted organizations only found out days later.

Legal experts suggest that multiple class-action lawsuits may emerge, particularly in the U.S. and EU, where data privacy regulations such as GDPR and CCPA impose strict breach notification timelines.

Industry Reaction

Several vendors have begun auditing and disabling unused OAuth applications across their Salesforce instances. Others are implementing new IP restrictions and scoping rules.

Okta, which was also targeted, reported that IP-based access control blocked the attack before Drift could access Salesforce.

“This incident shows how prior hardening can pay off. After our 2022 breach, we limited all third-party app access by IP, which protected us here.”
— Okta CISO, Sept 5, 2025

Recommendations for CISOs

CISOnode recommends the following best practices to reduce risk from similar token-based attacks:

Audit All OAuth Applications

• Check which apps are granted access to core systems (Salesforce, Google Workspace, M365).
• Remove or disable unused apps.

Implement IP Whitelisting for APIs

• Limit token use to specific IP ranges where possible.
• Monitor token usage via security tooling (SIEM, API gateway, XDR).

Rotate and Scope Tokens Regularly

• Minimize access scopes (read-only, time-limited, per-user).
• Force token expiration for stale integrations.

Conduct Drift and Salesloft-Specific Review

• Treat any access via Drift since March 2025 as suspect.
• Rotate secrets and credentials exposed in Salesforce support tickets.

What’s Next?

Salesloft says it is reviewing its CI/CD pipeline security, GitHub integration practices, and token lifecycle management. The company confirmed that it has hired a third-party forensic firm to audit its cloud infrastructure and intends to implement tighter audit trails going forward.

Meanwhile, U.S. regulators are expected to initiate inquiries into whether Salesloft followed industry best practices and notified customers appropriately.

CISOnode will continue to track fallout from the breach, especially as more vendors assess the true scope of exposure in their Salesforce environments.

References:

https://www.tenable.com/blog/tenable-response-to-salesforce-and-salesloft-drift-incident

https://www.proofpoint.com/us/blog/corporate-news/salesloft-drift-supply-chain-incident-response