A sustained cyberattack has brought the security of prominent SaaS providers into sharp focus, following revelations that a threat actor known as UNC6395 accessed Salesloft’s GitHub account months before launching a major data breach. This incident raises pressing questions about current supply-chain security measures and the exposure of integrated business platforms. As the attack stretched across multiple companies and industries, organizations now grapple with the impacts of cross-platform vulnerabilities. Customers and cybersecurity specialists alike are closely examining how sensitive OAuth tokens became compromised and what steps providers are taking in response.
Similar large-scale attacks on software supply chains have previously highlighted vulnerabilities in repository management and cloud-based integrations. Unlike earlier cases where immediate transparency was prioritized, Salesloft’s disclosure and response have been notably cautious and incremental. Recent attacks also targeted companies with significant third-party integrations, but the extent of cross-customer impact and insufficient early communication in this case have drawn sharp criticism from security professionals.
How Did the Cyberattack Progress?
According to Salesloft, attackers gained undetected access to its GitHub environment as early as March. Over the following months, the threat group moved within the company’s systems, downloaded content from various code repositories, added unauthorized users, and set up fraudulent workflows. The compromise ultimately allowed the attackers to reach Drift’s Amazon Web Services (AWS) environment, from which they extracted OAuth tokens related to Drift customers’ technology integrations.
What Steps Did Salesloft Take to Control the Breach?
Salesloft responded by removing the Drift application from service, rotating all centrally managed OAuth keys, and encouraging customers to revoke their API keys directly with third-party providers. In ongoing communications, the company explained,
“The threat actor used the stolen OAuth tokens to access data via Drift integrations.”
Additionally, the overarching Salesloft platform remained separate and, according to their forensic partner Mandiant, uncompromised.
Are Key Security Questions Still Unanswered?
Despite public updates, critical details regarding initial access to the GitHub account, the storing practices of sensitive OAuth tokens, and the precise pathways used by attackers have not been disclosed. One company statement outlined,
“We have taken Drift offline temporarily to fortify the security of the application and its associated infrastructure.”
Many experts underline the need for more granular information to fully assess customer impact and the scope of stolen data.
Some industry observers note that Salesloft had earlier limited its exposure reports to a subset of customers integrated with Salesforce, a position later contradicted by Mandiant’s broader findings. The uncertainty has eroded confidence in the Drift product, with some analysts speculating that significant changes—including potential rebranding—may be needed to restore trust. The incident left customers facing new responsibilities for security, notably with manual credential revocations for connected third-party services.
This breach demonstrates the complexity of securing interconnected platforms within the software supply chain. Maintaining strong repository security, ensuring proper credential management, and improving incident transparency remain vital for providers and customers alike. Review of integration practices and swift, clear communication about security events should be viewed as standard, not optional. As organizations scramble to reassess their integrations and risk exposure, the case underscores the persistent challenge of aligning company security measures with the reality of sophisticated, multi-stage cyberattacks.
- Attackers accessed Salesloft’s GitHub months before the data breach unfolded.
- The Drift app was taken offline as stolen OAuth tokens affected customer integrations.
- Full details on attacker methods and scope of stolen data remain undisclosed.
