Threat actors gained access to Salesloft’s GitHub account, enabling them to perform reconnaissance and eventually steal data from Salesforce environments between August 8 and 18, 2025. The attack, attributed to UNC6395, affected hundreds of organizations, leading to the shutdown and later restoration of affected integrations. #UNC6395 #SalesloftGitHub #SalesforceDataBreach
Keypoints
- The threat actors accessed Salesloft’s GitHub account between March and June 2025.
- They exploited compromised OAuth tokens to exfiltrate data from Salesforce and Drift environments.
- The breach impacted over a dozen organizations, including cybersecurity and cloud service providers.
- Salesloft temporarily disabled the Salesforce-Salesloft and Drift integrations to contain the attack.
- Investigation by Mandiant confirmed the attackers were evicted and the threat contained.
Read More: https://www.securityweek.com/salesloft-github-account-compromised-months-before-salesforce-attack/