A major data theft campaign targeting Salesforce data via the Salesloft Drift app began after threat actors compromised a key GitHub account, Salesloft has revealed.
The sales engagement firm said in an update on Sunday that a Google Mandiant investigation traced the malicious activity back to a period between March and June 2025.
This was when the threat actor(s) accessed the Salesloft GitHub account.
“With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows. The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments,” Salesloft said.
“The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations. The threat actor used the stolen OAuth tokens to access data via Drift integrations.”
Read more on Salesloft attacks: Qualys, Tenable Latest Victims of Salesloft Drift Hack
The Salesloft Drift app integrates with Salesforce to automate sales processes for customers. However, using its OAuth tokens, threat actors were able to access those customers’ Salesforce instances, before exfiltrating secrets like “AWS access keys, passwords, and Snowflake-related access tokens,” Salesloft said.
Among the customers impacted by the campaign are security vendors such as Tenable, Qualys, Palo Alto Networks, Cloudflare and Zscaler.
The group behind the attack also targeted the Google Workspace integration with Salesloft Drift to access a “very small number” of Google Workspace accounts.
Mandiant Remediates
Salesloft said that forensic investigators from Google Mandiant performed “containment and eradication activities” which involved isolating the Drift infrastructure, application and code, taking the app offline and rotating credentials.
The firm also rotated credentials in the Salesloft environment, hardening it against threat actor tactics, and performed threat hunting to make sure the actors are no longer present.
“Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments,” the Salesloft update continued.
“Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.”
It remains to be seen how many more corporate victims there are. Earlier reports suggested that hundreds may have been caught in the campaign, with ShinyHunters/Scattered Spider among the suspects.
That group separately targeted Salesforce instances by impersonating customers’ IT helpdesks in vishing attacks targeting employees.
Image credit: PJ McDonnell / Shutterstock.com
