Massive Breach: Hackers Stole Tokens from Salesloft's GitHub to Launch Attacks on Major Tech Customers
March saw a devastating breach of Salesloft's GitHub account, with hackers stealing authentication tokens that were later used in a massive attack against several major tech customers. The incident, which was uncovered by Mandiant, has raised serious security concerns, given the six-month delay in detecting the intrusion.
The Attackers: UNC6395
The threat actor behind the breach is identified as UNC6395, a group known for its sophistication and stealthy tactics. According to Salesloft, the attackers breached GitHub's account between March 2025 and June 2025, downloading repository data, adding a guest user, and creating workflows. This initial breach provided the hackers with a foothold that would later be used to launch devastating attacks against other systems.
The Targets: Google, Zscaler, Cloudflare, and Palo Alto Networks
The stolen tokens were used in a mass attack on several major tech customers, including Google, Zscaler, Cloudflare, and Palo Alto Networks. These companies are among the most secure in the industry, but even they were not immune to the attackers' sophisticated tactics.
The Investigation: Mandiant's Findings
Mandiant's investigation into the breach revealed that the hackers performed reconnaissance activities in the Salesloft and Drift application environments between March 2025 and June 2025. The attackers accessed Salesloft's GitHub from March to June, downloading repository data, adding a guest user, and creating workflows.
The Aftermath: Salesloft's Response
Salesloft has taken swift action to contain the breach, isolating Drift's infrastructure, app, and code. The company took Drift offline on September 5, 2025, and rotated credentials. Additionally, stronger segmentation between Salesloft and Drift was implemented, with all Drift API keys being advised for revocation.
The Status Update: Salesforce Re-Enables Integrations with Salesloft
On September 7, Salesforce confirmed that it has re-enabled integrations with Salesloft after suspending them on August 28. However, the company made it clear that Drift will remain disabled until further notice as part of its continued response to the security incident.
"Salesforce has re-enabled integrations with Salesloft technologies, with the exception of any Drift app. Drift will remain disabled until further notice as part of our continued response to the security incident."
This decision follows security measures and remediation steps implemented by Salesloft, which were independently validated by Mandiant.
Conclusion
The breach of Salesloft's GitHub account has highlighted the importance of robust security measures in protecting against sophisticated attacks. The six-month delay in detecting the intrusion raises serious concerns about the effectiveness of Salesloft's security protocols and the potential for further attacks to go undetected.