Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens

Salesloft’s advisory detailing Mandiant’s findings published today shows that the attacker gained access to a Salesloft GitHub account between March and June 2025. During this period, they downloaded content from several private repositories, added a guest user, and created new workflows.

The attacker ultimately shifted focus to Drift’s AWS environment, where they obtained OAuth tokens from Drift customers. These tokens were then abused to access customer data through integrated applications.

While attribution remains under investigation, Google has linked threat actor group UNC6395 to the campaign. At the same time, although unconfirmed, a separate group known as “Scattered Lapsus$ Hunters,” an apparent coalition that combines the tactics and branding of Scattered Spider, Lapsu$, and ShinyHunters, has publicly claimed responsibility, though this has not been confirmed by investigators.

To read the complete article see: Hack Read