Salesloft’s data breach originated from a compromised GitHub account, allowing threat actors to access and manipulate coding repositories. The incident involved sophisticated reconnaissance and theft of OAuth tokens, impacting multiple organizations. #UNC6395 #GitHub
Keypoints
- Threat actor UNC6395 exploited Salesloft’s GitHub account to access sensitive content.
- They conducted reconnaissance activities between March and June 2025 in Salesloft and Drift environments.
- The attackers accessed Drift’s AWS environment and stole OAuth tokens for customer integrations.
- Salesloft responded by isolating, taking offline, and reinforcing security measures around Drift.
- Integrations with Salesforce were restored, but Drift remains disabled pending further security assessments.
Read More: https://thehackernews.com/2025/09/github-account-compromise-led-to.html