Salesloft confirmed that a breach of its GitHub account earlier this year allowed hackers to steal OAuth tokens, fueling a large-scale supply chain attack on several of its major customers, including Google, Cloudflare, Proofpoint, Palo Alto Networks, and Tenable.
According to Mandiant, Google’s incident response unit, the hackers accessed Salesloft’s GitHub repositories between March and June, adding guest users, establishing workflows, and downloading code. The company did not detect the intrusion until August, raising concerns about its security response timeline.
The stolen tokens were tied to Drift, Salesloft’s AI-powered marketing platform, which integrates with services like Salesforce. Using the tokens, attackers infiltrated Salesforce instances and exfiltrated sensitive data, including AWS keys, passwords, and Snowflake-related access tokens.
Google’s Threat Intelligence Group attributed the campaign to a group it tracks as UNC6395. Meanwhile, reports from DataBreaches.net and Bleeping Computer suggest the culprits are likely the hacking collective ShinyHunters, known for extortion attempts against breached companies.
Related: GitHub CEO Thomas Dohmke to Step Down by Year-End
Salesloft said the attack has since been contained, and Salesforce integrations are now restored. But the breach highlights the growing risk of supply chain compromises and underscores how one compromised vendor can ripple across the broader tech ecosystem.
