Major cybersecurity companies remain exposed after a sophisticated supply chain attack compromised OAuth tokens, with the investigation now revealing that threat actors maintained GitHub access for three months before launching the main assault.
Mandiant's investigation into the Salesloft Drift breach has uncovered that threat actor UNC6395 first accessed Salesloft's GitHub repositories in March 2025, maintaining persistent access through June before launching the OAuth token theft campaign in August that ultimately compromised major firms' Salesforce data.
Check List of the Affected Organisations: Major Cybersecurity Firms Hit by Salesloft Drift Supply Chain Attack
The forensic analysis reveals the attackers "downloaded content from multiple repositories, added a guest user and established workflows" during their extended GitHub access, followed by reconnaissance activities in both Salesloft and Drift application environments between March and June 2025.
The main assault occurred between August 8-18, 2025, when attackers exploited compromised OAuth tokens from the Drift AI chat application to access customer Salesforce instances and harvest sensitive credentials, including AWS access keys, passwords, and Snowflake database tokens.
The attack targeted high-profile cybersecurity companies, including Zscaler, Palo Alto Networks, Cloudflare, Proofpoint, SpyCloud, Tanium, and Tenable, among others.
The compromised data primarily included business contact information—names, email addresses, phone numbers, job titles, and regional details, with Zscaler reporting additional exposure of "product licensing and commercial information" and "plain text content from certain support cases."
Salesloft has taken the Drift application completely offline while Mandiant validates containment and eradication activities across both Drift and Salesloft environments, including credential rotation, infrastructure isolation, and comprehensive threat hunting. The investigation has verified technical segmentation between Salesloft and Drift systems, with findings supporting that the incident has been contained.
Salesforce removed the Drift application from its AppExchange marketplace, and all affected companies confirmed the breach was limited to Salesforce data with no evidence of access to core product platforms. However, the breach also affected other connected integrations, including Google Workspace, Slack, and cloud storage platforms.
Security experts warn that the incident underscores growing risks in cloud-first environments where third-party integrations can become powerful attack vectors, urging organisations to immediately audit OAuth permissions and implement stricter access controls for third-party applications. Companies are advised to remain vigilant against potential phishing and social engineering attacks leveraging the compromised contact data.