In a stunning revelation that underscores the vulnerabilities in interconnected software ecosystems, Salesloft has confirmed that a series of customer data thefts involving its Drift chatbot service originated from a GitHub account compromise dating back to March 2025. The breach, which affected numerous high-profile clients, highlights the perils of supply-chain attacks in the SaaS sector, where a single point of entry can cascade into widespread data exposure.

According to a detailed report from TechCrunch, the attackers exploited stolen OAuth tokens from Drift’s integrations, allowing unauthorized access to Salesforce instances of affected companies. This incident, first detected in August, involved the exfiltration of sensitive customer information, raising alarms across the cybersecurity community.

Unraveling the Attack Chain

Salesloft’s investigation, conducted with cybersecurity firm Mandiant, traced the intrusion to unauthorized access of the company’s GitHub repositories between March and June 2025. From there, hackers pivoted to Drift’s AWS environment, pilfering OAuth credentials that granted them entry to integrated systems like Salesforce.

The fallout has been significant, with companies such as Cloudflare, Palo Alto Networks, Qualys, and Tenable confirming impacts. A post on the Cloudflare Blog detailed how an advanced threat actor, dubbed GRUB1, leveraged the Drift-Salesforce integration to siphon data from multiple tenants, affecting potentially thousands of end-users.

Broader Implications for SaaS Security

This breach exemplifies the growing threat of OAuth token theft, a tactic increasingly favored by sophisticated adversaries. As noted in a threat brief from Unit 42 at Palo Alto Networks, the attackers used compromised credentials to conduct data exfiltration campaigns, targeting high-value Salesforce environments without triggering immediate alerts.

Industry experts point out that the six-month lag in detection—spanning from the initial GitHub hack to public disclosure—exposes gaps in monitoring and response protocols. Salesloft has since taken Drift offline to rebuild and secure its infrastructure, but questions linger about why the intrusion went unnoticed for so long.

Victim Responses and Mitigation Efforts

Affected organizations have moved swiftly to mitigate risks. For instance, Google Cloud’s threat intelligence blog identified the campaign as linked to UNC6395, a group known for credential theft, and advised revoking all potentially compromised tokens. Cloudflare notified its customers of possible data access, urging them to review logs and enhance multi-factor authentication.

Similarly, Palo Alto Networks and others have emphasized rotating API keys and auditing third-party integrations. The incident has prompted calls for stricter OAuth standards and better visibility into supply-chain dependencies.

Lessons for the Industry

As the dust settles, this event serves as a wake-up call for SaaS providers and their clients. Help Net Security reported that the attack compromised at least 22 companies, but the true scope may be larger, given the interconnected nature of modern cloud services.

Cybersecurity insiders are now advocating for proactive measures, including regular code repository audits and zero-trust architectures. Salesloft’s experience underscores that even acquired services like Drift—bought in a high-stakes merger—can inherit vulnerabilities that ripple outward.

Looking Ahead

With investigations ongoing, regulatory scrutiny is likely to intensify, potentially leading to new guidelines for SaaS security. As one cybersecurity analyst noted in discussions on platforms like X, the breach’s origins in a GitHub compromise highlight the critical need for robust access controls across development tools. For now, companies are left to fortify their defenses against an ever-evolving array of threats, ensuring that a single hack doesn’t unravel entire ecosystems.