Salesloft hacked via GitHub and AWS in March, Mandiant finds

Google-owned security firm Mandiant has determined the root cause for the expanding breach of AI-powered marketing platform Salesloft, whose artificial intelligence chat agent Drift was used by threat actors to compromise Salesforce instances.

Mandiant's investigation shows that the threat actor accessed the GitHub code repository account of Salesloft, from March through to June 2025.

The threat actor downloaded content from multiple repositories, added a guest user and established workflows, Salesloft said.

A limited amount of reconnaissance by the threat actor also took place.

Next, the threat actor accessed the AWS environment for Drift and obtained open authorisation (OAuth) authentication tokens for customers' technology integrations with Salesforce.

With the OAuth tokens in hand, the threat actor was then able to access customer data such as business contact information and case meta data.

Salesloft published Mandiant's findings over the weekend.

Mandiant was retained by Salesloft to investigate the breach on August 28 US time, which appears to have been conducted through social engineered voice phishing of staff to obtain customer credentials.

So far, the list of companies and organisations that have had information accessed include Zscaler, Cloudflare, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, PagerDuty, CyberArk, Bugcrowd, Esker, Heap, JFrog, Megaport, Rubrik, Workive and Google.

After the breach, Salesloft Drift was removed from the Salesforce AppExchange, and OAuth tokens were revoked, with customers asked to rotate credentials.

The integration between Salesforce and Salesloft has since been restored.

At the time of writing, there is no official attribution of who is behind the large-scale attack, but US media have suggested it is the loosely organised Scattered Spider/ShinyHunters group.