Cyber Security News

Salesloft GitHub Account Compromised Months Before Salesforce Attack

CybersecurityNews
Salesloft GitHub Account Compromised Months Before Salesforce Attack

Threat actors gained access to Salesloft’s GitHub account, enabling them to perform reconnaissance and eventually steal data from Salesforce environments between August 8 and 18, 2025. The attack, attributed to UNC6395, affected hundreds of organizations, leading to the shutdown and later restoration of affected integrations. #UNC6395 #SalesloftGitHub #SalesforceDataBreach

Keypoints

  • The threat actors accessed Salesloft’s GitHub account between March and June 2025.
  • They exploited compromised OAuth tokens to exfiltrate data from Salesforce and Drift environments.
  • The breach impacted over a dozen organizations, including cybersecurity and cloud service providers.
  • Salesloft temporarily disabled the Salesforce-Salesloft and Drift integrations to contain the attack.
  • Investigation by Mandiant confirmed the attackers were evicted and the threat contained.

Read More: https://www.securityweek.com/salesloft-github-account-compromised-months-before-salesforce-attack/