Salesloft disclosed that in March, attackers gained access to its GitHub account, which enabled them to obtain authentication tokens. These tokens were subsequently used in a widespread cyberattack that impacted multiple major technology clients.
According to findings from Google’s Mandiant incident response team, which Salesloft detailed on its breach notification page, the unidentified attackers infiltrated the company’s GitHub account and conducted reconnaissance activities from March through June. During this period, they were able to download files from various repositories, add a guest account, and configure workflows.
This timeline has led to renewed scrutiny of the company’s security measures, particularly regarding the six-month gap before Salesloft identified the breach.
Salesloft has stated that the breach has since been “contained.”
Following the compromise of its GitHub account, Salesloft reported that the attackers also accessed the Amazon Web Services environment used by Drift, its AI-driven marketing platform. This access enabled the theft of OAuth tokens belonging to Drift’s users. OAuth is a protocol that lets individuals grant one application or service permission to interact with another. With OAuth, Drift can connect to platforms such as Salesforce and engage with website users.
By obtaining these tokens, the attackers were able to infiltrate several of Salesloft’s clients, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among others—though the total number of affected organizations is likely higher.
At the end of August, Google’s Threat Intelligence Group publicly disclosed the supply chain attack, attributing it to a threat actor designated UNC6395.
Cybersecurity news outlets DataBreaches.net and Bleeping Computer previously reported that the group responsible is believed to be ShinyHunters, a well-known hacking collective. It is suspected that these hackers are attempting to extort victims through private communications.
The attackers leveraged the acquired Salesloft tokens to access Salesforce accounts, where they extracted sensitive information from support tickets. “The actor’s main goal was to acquire credentials, focusing on highly sensitive items such as AWS access keys, passwords, and Snowflake-related tokens,” Salesloft announced on August 26.
As of Sunday, Salesloft confirmed that its Salesforce integration has been reestablished.
