Ethical Hacking News
Salesloft's GitHub Breach: A Trail of Cyber Deceit Leads to Salesforce Data Theft Attacks
A recent cyberattack on Salesloft has led to the theft of sensitive Salesforce data from numerous unsuspecting customers. The breach, which began with the exploitation of its GitHub account, highlights the ever-present threat of cyberattacks and the need for robust cybersecurity measures in place. This exposé delves into the details surrounding this crisis and sheds light on the critical role that companies like Salesloft play in protecting sensitive data from malicious actors.
The Salesloft sales engagement platform suffered a devastating cyberattack in March 2025.The breach began with the exploitation of its GitHub account, leading to theft of sensitive Salesforce data from numerous customers.The attackers gained access to Salesloft's GitHub environment between March and June 2025, downloading code, adding guest user accounts, and creating rogue workflows.The primary objective was to steal credentials, including AWS access keys, passwords, and Snowflake-related access tokens.The attackers used stolen OAuth tokens to carry out widespread Salesforce data theft attacks on unsuspecting customers.Numerous high-profile companies, including Google and Workiva, have been affected by the attacks.Salesloft has taken steps to mitigate the damage, including rotating credentials, hardening defenses, and verifying segmentation from Drift.
In a recent exposé, it has come to light that Salesloft, a widely used sales engagement platform, suffered a devastating cyberattack in March 2025. The breach began with the exploitation of its GitHub account, setting off a chain reaction of events that would ultimately lead to the theft of sensitive Salesforce data from numerous unsuspecting customers.
At the epicenter of this crisis lies Drift, a conversational marketing tool that integrates chatbots and automation into sales pipelines, including integrations with platforms like Salesforce. The breach began when attackers first gained access to Salesloft's GitHub environment between March and June 2025. During this period, they downloaded code from multiple repositories, added guest user accounts, and created rogue workflows.
The hackers' primary objective was to steal credentials, specifically focusing on sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens. They also performed reconnaissance activities in Salesloft and Drift environments during the same period. It wasn't until they breached Drift's AWS environment that they were able to steal the OAuth tokens used to access customer data across technology integrations.
The attackers then used these stolen tokens to carry out widespread Salesforce data theft attacks on unsuspecting customers, including Google, Zscaler, Cloudflare, Workiva, Tenable, JFrog, Bugcrowd, Proofpoint, and Palo Alto Networks. The primary focus of the attackers was to steal support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets.
Salesloft initially disclosed a security issue in its Drift application on August 21, revealing more details about malicious exploitation of OAuth tokens five days later. Since then, numerous high-profile companies have been affected by these attacks, including Google and Workiva.
The attackers are believed to be ShinyHunters extortion gang and threat actors claiming to be Scattered Spider, in addition to the previously disclosed Salesloft Drift supply chain attack attributed to UNC6395. As a result of the breach, numerous companies have been forced to take drastic measures to secure their data and protect themselves from further attacks.
To mitigate the damage caused by this cyberattack, Salesloft has taken several steps. These include rotating credentials, hardening defenses, and verifying segmentation from Drift. The company also conducted threat hunting with the help of Mandiant, finding no additional indicators of compromise, which meant that the threat actor did not have a foothold on its environment anymore.
Mandiant has validated containment and segmentation, and engagement has now shifted to forensic quality assurance review. Following a precautionary suspension triggered by the Drift security incident, Salesloft has announced the restoration of its integration with Salesforce, allowing users to access full range of integrations once again.
In response to this breach, numerous companies have been left reeling. The sheer scale and scope of this attack serve as a stark reminder of the ever-present threat of cyberattacks and the need for robust cybersecurity measures in place.
The incident highlights the importance of vigilance in the face of rapidly evolving threats. It also underscores the critical role that companies like Salesloft play in protecting sensitive data, not only from malicious actors but also from their own vulnerabilities.
Ultimately, this breach serves as a wake-up call to all organizations, emphasizing the need for robust cybersecurity measures and strict data protection protocols to safeguard against such devastating attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Saleslofts-GitHub-Breach-A-Trail-of-Cyber-Deceit-Leads-to-Salesforce-Data-Theft-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/salesloft-march-github-repo-breach-led-to-salesforce-data-theft-attacks/
Published: Mon Sep 8 11:18:22 2025 by llama3.2 3B Q4_K_M
