New details have emerged regarding the massive Salesforce compromise campaign, which impacted hundreds of companies, including major tech and cybersecurity firms.
It was previously known that hackers raided numerous Salesforce instances by abusing compromised authentication tokens from the third-party AI marketing tool, Salesloft Drift. But how did the hackers obtain the tokens?
A new update from Salesloft illuminates how the incident unfolded. The investigation revealed that the hackers initially gained access to Salesloft’s GitHub account. GitHub is a platform where developers collaborate, store, and share code.
Between March and June 2025, attackers downloaded content from multiple GitHub repositories, added a guest user, and established workflows.
Mandiant's investigation also noted limited reconnaissance activities during the period in the Salesloft and Drift application environments, with no direct impact. The attackers then pivoted to the AWS environment.
“The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations,” Salesloft said in an update.
The stolen OAuth tokens were then used to access data via Drift integrations, most notably with Salesforce.
The hacking spree between August 8th and at least August 18th, 2025, has impacted hundreds of organizations and may lead to further breaches, because attackers mostly focused on stealing credentials and access tokens.
Salesloft said that the incident has been contained. The Drift application has been taken offline, and its infrastructure isolated. The firm rotated the impacted credentials and released the list of IP addresses and user-agent strings the attackers used to authenticate and steal data during the Drift attacks.
The vendor claims that its Salesloft application was not impacted. However, it has also rotated credentials in the Salesloft environment and hardened security against known methods used by attackers. Proactive threat hunting did not yield any indicators of compromise.
Salesforce has restored integrations with Salesloft, and users can once again leverage the tool “with confidence.” Previously, while the connection was severed, Salesloft and Salesforce continued to run independently.
Drift users were repeatedly advised to review their Salesforce objects for any Google Cloud Platform service account keys and other credentials, such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. All these credentials, API keys, should be treated as compromised and revoked/rotated.
“The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review,” Salesloft said.
Cybernews has covered several instances of Salesforce breaches. Cloudflare, Zscaler, Palo Alto Networks, Google, Allianz Life, TransUnion, Farmers Insurance, Air France, KLM, and many other companies have recently announced data breaches resulting from the compromised Salesforce or third-party instances.
Three cybercrime gangs, which have united into one loose coalition, are claiming responsibility for the attacks and feel “invincible,” taunting the FBI and other authorities and selling stolen data.
Your email address will not be published. Required fields are markedmarked