Salesloft experienced a supply chain-style breach starting with its GitHub account in March, leading to OAuth token theft and subsequent Salesforce data breaches in August. Multiple threat actors, including ShinyHunters and Scattered Spider, were involved, targeting sensitive customer data across various organizations. #GitHubAttack #OAuthTokens #SalesforceDataTheft #SupplyChainBreach
Keypoints
- Attackers first infiltrated Salesloftβs GitHub environment between March and June 2025.
- The breach led to the theft of OAuth tokens used in widespread Salesforce data theft campaigns.
- Threat actors aimed to steal credentials, including AWS access keys and Snowflake tokens.
- Salesloft responded by rotating credentials, isolating infrastructure, and conducting threat hunting.
- The company has restored full Salesforce integrations after mitigating the breach impacts.