GitHub Ghosts: How Stolen OAuth Tokens Fueled the Salesloft Drift Breach

Fast Facts

• Attackers accessed a Salesloft GitHub account from March to June 2025, downloading private code and adding new users.
• Compromised OAuth tokens from Drift were used to access Salesforce data at multiple organizations.
• Victims include major companies like Zscaler, Palo Alto Networks, PagerDuty, and Cloudflare, with business contact data exposed.
• Cybersecurity firm Mandiant led the investigation and confirmed the breach was contained by late August.
• Google and Mandiant link the attack to threat actor UNC6395; a group calling itself “Scattered Lapsus$ Hunters” also claims responsibility.

A Breach Born in the Shadows of Code

Picture an unlocked back door at a bustling office, left ajar not by carelessness but by a forgotten key. For Salesloft, that key was a GitHub account. Between March and June 2025, an intruder quietly slipped inside, rummaging through private code repositories, adding a mysterious “guest,” and crafting new workflows. The target wasn’t just code - the attackers were after keys to the kingdom: OAuth tokens, digital passes that let applications talk to each other without passwords.

From GitHub to Salesforce: Following the Attack Trail

According to Salesloft’s advisory, as reported by Hackread.com and confirmed by Mandiant, the breach began when the attackers infiltrated Salesloft’s GitHub, then pivoted to Drift - Salesloft’s conversational AI platform. There, they snatched OAuth tokens belonging to Drift customers. These tokens, when abused, allowed the attackers to masquerade as trusted applications and access Salesforce customer data integrated with Drift.

While Salesloft’s own environment saw only reconnaissance - think of it as burglars peeking through doors but not entering - the real heist happened in Drift’s AWS cloud. The attackers’ actions were precise: they avoided setting off alarms, focusing instead on quietly siphoning business contact data such as names, emails, and job titles from integrated Salesforce environments.

The Bigger Picture: An Industry-Wide Campaign

This wasn’t a lone wolf operation. Google’s Threat Intelligence Group and Mandiant found the Drift breach was part of a broader campaign in August, targeting Salesforce integrations across the tech landscape. Giants like Zscaler, Palo Alto Networks, PagerDuty, Cloudflare, TransUnion, and Farmers Insurance confirmed their own Salesforce data was accessed via compromised Drift OAuth tokens.

While attribution remains murky, Google points to the group UNC6395, while a coalition calling itself “Scattered Lapsus$ Hunters” - a nod to infamous hacking gangs - has publicly claimed responsibility. Investigators have yet to confirm this boast.

Damage Control and Lessons Learned

Salesloft responded by rotating all affected credentials, isolating Drift’s infrastructure, and taking the service offline. Mandiant’s forensic sweep found no evidence the attackers moved beyond their initial targets, thanks in part to a technical wall separating Drift and Salesloft’s core systems. Still, the breach is a stark reminder: OAuth tokens, meant to simplify digital trust, can become skeleton keys in the wrong hands.

Similar attacks have plagued the industry before - most notably, the 2022 GitHub OAuth token breach that exposed hundreds of GitHub repositories and the persistent targeting of cloud-based integrations by groups like Scattered Spider. As cloud platforms and app integrations multiply, so do the doors for attackers to test.

Conclusion: The Quiet Power of Digital Keys

In the digital age, the most valuable keys aren’t metal - they’re lines of code and tokens, often hidden in plain sight. The Salesloft Drift breach shows how attackers can exploit the trust baked into our interconnected software, moving quietly from one platform to another. As organizations rush to patch holes and rotate keys, the lesson endures: every integration opens a door, and every door needs a vigilant guard.

WIKICROOK

• OAuth Token: An OAuth token is a digital key that lets apps securely access your data without needing your password each time.
• GitHub: GitHub is an online platform for storing, managing, and collaborating on code, widely used by individuals and companies for software projects.
• Reconnaissance Activity: Reconnaissance activity is the early phase of a cyberattack where attackers collect information about a target system to identify vulnerabilities.
• Credential Rotation: Credential rotation is the routine changing of passwords or keys to block attackers and protect accounts, especially after a security breach or personnel changes.
• Threat Actor: A threat actor is any person, group, or entity responsible for launching or coordinating a cyberattack or other malicious activity in cyberspace.