Salesloft says Drift customer data thefts linked to March GitHub account hack

Summary

Salesloft said a breach of its GitHub account in March allowed hackers to steal authentication tokens that were later used in a mass-hack targeting several of its big tech customers. Citing an investigation by Google’s incident response unit Mandiant, Salesloft said on its data breach page that the as-yet-unnamed hackers accessed Salesloft’s GitHub account and performed reconnaissance activities from March until June, which allowed them to download “content from multiple repositories, add a guest user and establish workflows.” The timeline raises fresh questions about the company’s security posture, including why it took Salesloft some six months to detect the intrusion. Salesloft said that the incident is now “contained.” Contact Us Do you have more information about these data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop. After the hackers broke into its GitHub account, the company said the hackers accessed the Amazon Web Services cloud environment of Salesloft’s AI and chatbot-powered marketing platform Drift, which allowed them to steal OAuth tokens for Drift’s customers. OAuth is a standard that allows users to authorize one app or service to connect to another. By relying on OAuth, Drift can integrate with platforms like Salesforce and others to interact with website visitors. In stealing these tokens, the threat actors breached several Salesloft’s customers, such as Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among others, many of which are likely still unknown. Google’s Threat Intelligence Group revealed the supply chain breach late in August, attributing it to a hacking group it calls UNC6395. Techcrunch event San Francisco | October 27-29, 2025 Cybersecurity publications DataBreaches.net and Bleeping Computer previously reported that the hackers behind the b...