Ethical Hacking News
A devastating data breach has exposed the sensitive information of hundreds of companies worldwide, including Google, Zscaler, Cloudflare, and Palo Alto Networks. The breach was attributed to a miscreant gaining access to the Salesloft GitHub account in March and resulted in the compromise of Drift's AWS environment. To mitigate the damage, affected organizations are advised to take immediate action to protect their sensitive information.
The Salesloft Drift breach exposed hundreds of companies worldwide. The attackers gained initial access to the Salesloft GitHub account in March and accessed various repositories over several months. The stolen OAuth tokens were used to break into several companies' Salesforce instances, compromising hundreds of organizations. Salesloft took immediate action to contain the breach, including taking the Drift application offline and rotating compromised credentials. The investigation suggests the breach may have been a targeted attack, with limited evidence left behind. Organizations affected by the breach should take steps to protect their sensitive information, including monitoring systems and implementing additional security measures.
The cybersecurity landscape has been dealt a significant blow, as a recent data breach has exposed the sensitive information of hundreds of companies worldwide. The breach, which was attributed to a miscreant gaining access to the Salesloft GitHub account in March, has left many organizations reeling.
According to a recent update from Mandiant, a leading cybersecurity firm, the attackers gained initial access to the Salesloft GitHub account sometime in March. Over the next few months, they accessed various repositories, added a guest user, and established workflows. The investigation found that the attackers then gained access to Drift's AWS environment, where they obtained OAuth tokens for Drift customers' technology integrations.
These stolen OAuth tokens were used by the attackers to break into several companies' Salesforce instances - with Cloudflare estimating that hundreds of organizations were compromised. The list of affected companies includes Google, Zscaler, Cloudflare, Palo Alto Networks, BeyondTrust, Bugcrowd, Cato Networks, CyberArk, Elastic, JFrog, Nutanix, PagerDuty, Rubrik, SpyCloud, and Tanium.
In response to the breach, Salesloft took immediate action by taking the Drift application offline, rotating compromised credentials, and isolating the Drift infrastructure and code. The company has also worked closely with Mandiant to determine the root cause of the incident and contain its scope.
The investigation found that the attackers did not leave any evidence beyond limited reconnaissance related to the Salesloft application environment. This lack of evidence suggests that the breach may have been a targeted attack, rather than a random occurrence.
Google, which owns Mandiant, had previously attributed the Drift-related breaches to UNC6395, a threat group that is tracked by Google. However, Cloudflare has since pinned the attack on a separate threat group called GRUB1, which aligns with UNC6395. Additionally, ShinyHunters, another threat group with some overlap with UNC6395, is also suspected to have played a role in the intrusions.
The incident highlights the importance of secure software development practices and regular security assessments. It also underscores the need for companies to maintain robust security controls and implement effective incident response plans.
As the situation continues to unfold, it is essential for organizations affected by this breach to take immediate action to protect their sensitive information. This may include monitoring their systems closely, implementing additional security measures, and notifying relevant authorities if necessary.
In conclusion, the recent Salesloft Drift breach serves as a stark reminder of the importance of cybersecurity in today's digital landscape. As companies continue to rely on cloud-based services and software applications, they must prioritize security and take proactive steps to protect their sensitive information from would-be attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Devastating-Data-Breach-Saleslofts-Drift-Environment-Compromised-by-Rogue-GitHub-Account-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
Published: Mon Sep 8 19:52:38 2025 by llama3.2 3B Q4_K_M
