Ethical Hacking News
Hackers breached Salesloft’s GitHub in March 2025, using stolen tokens to launch a mass attack against several major tech customers. The breach has had significant implications for affected companies, including Salesforce, and highlights the need for improved cybersecurity measures.
Salesloft suffered a data breach in March 2025 after hackers breached its GitHub account. The attackers used stolen OAuth tokens to access Drift's AWS environment and gather sensitive information. Drift was taken offline on September 5, 2025, with Salesloft rotating credentials and adding stronger segmentation between the two platforms. Salesforce temporarily suspended integrations with Salesloft due to security concerns. The breach highlights the need for improved cybersecurity measures, including regular monitoring, patching, and segmentation.
Salesloft, a prominent sales automation platform, recently suffered a significant data breach at its GitHub account. This breach, which occurred in March 2025, was perpetrated by a group of hackers known as UNC6395. The attackers exploited the stolen authentication tokens to launch a massive attack against several major tech customers, including Google, Zscaler, Cloudflare, and Palo Alto Networks.
In this article, we will delve into the details of this complex cyberattack, exploring the methods used by the hackers, the impact on affected companies, and the response from Salesloft. We will also examine the implications of this breach for the broader cybersecurity community and the measures that can be taken to prevent similar incidents in the future.
The attack began when UNC6395 breached Salesloft's GitHub account between March and June 2025. The hackers accessed various repositories, added a guest user, and established workflows. They also performed reconnaissance activities in both the Salesloft and Drift application environments between March 2025 and June 2025. This extensive access allowed them to gather sensitive information and potentially exploit vulnerabilities in these systems.
The hackers then exploited the stolen OAuth tokens to access data via Drift integrations. These tokens were obtained from Drift's AWS environment, which is tied to its Drift platform. The attackers used this access to steal sensitive information and conduct further reconnaissance.
Salesloft has taken steps to contain the breach, isolating Drift's infrastructure, app, and code, and taking it offline on September 5, 2025. They have also rotated credentials, added stronger segmentation between Salesloft and Drift, and advised customers to revoke all Drift API keys.
However, despite these efforts, the breach has had a significant impact on affected companies. Salesforce has temporarily suspended integrations with Salesloft due to security concerns.
The incident raises important questions about the vulnerability of major tech companies and their reliance on third-party services like GitHub. It also highlights the need for improved cybersecurity measures, including regular monitoring, patching, and segmentation.
Furthermore, this breach serves as a reminder that hackers are becoming increasingly sophisticated in their methods, using techniques such as OAuth token exploitation to gain access to sensitive systems. Companies must be vigilant in their response to these threats and take proactive steps to prevent similar breaches in the future.
In conclusion, the breach of Salesloft's GitHub by UNC6395 is a significant incident that highlights the importance of robust cybersecurity measures. By examining the details of this attack, we can gain a better understanding of the methods used by hackers and develop strategies for prevention and response.
Hackers breached Salesloft’s GitHub in March 2025, using stolen tokens to launch a mass attack against several major tech customers. The breach has had significant implications for affected companies, including Salesforce, and highlights the need for improved cybersecurity measures.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploitation-of-Saleslofts-GitHub-A-Detailed-Examination-of-a-Complex-Cyberattack-ehn.shtml
https://securityaffairs.com/182002/hacking/hackers-breached-salesloft-s-github-in-march-and-used-stole-tokens-in-a-mass-attack.html
Published: Mon Sep 8 15:28:01 2025 by llama3.2 3B Q4_K_M
