Hackers Breach Salesloft’s GitHub Account, Steal Authentication Tokens in Mass-Hack Targeting Major Tech Customers

In March, an unidentified group of hackers infiltrated Salesloft’s GitHub account, conducting reconnaissance activities until June. During this period, the hackers downloaded content from various repositories, added a guest user, and established workflows. This breach allowed them to access Salesloft’s Amazon Web Services cloud environment and steal OAuth tokens for its AI and chatbot-powered marketing platform Drift.

These tokens granted the hackers access to several of Salesloft’s major tech customers, including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, Tenable, and others, many of which remain undisclosed. The incident came to light in late August when Google’s Threat Intelligence Group revealed a supply chain breach, linking it to the hacking group UNC6395.

Previous reports from cybersecurity publications DataBreaches.net and Bleeping Computer suggest that the hackers behind this breach are the prolific group known as ShinyHunters. The hackers are believed to be attempting extortion by contacting victims privately. By accessing Salesloft tokens, the hackers were able to penetrate Salesforce instances and steal sensitive data from support tickets.

On August 26, Salesloft confirmed that the actor’s main objective was to steal credentials, with a particular focus on sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens. On Sunday, Salesloft announced that its integration with Salesforce has been successfully restored. The company did not disclose any details about the containment of the breach or its duration.