Cybersecurity investigators say a massive supply-chain attack affecting over 700 companies began with a seemingly minor GitHub breach earlier this year.
Salesloft first disclosed a security issue in the Drift application on Aug. 21, then shared more details about malicious OAuth token abuse five days later. According to an investigation by Mandiant, which is aiding Salesloft, the threat actors first gained access to its GitHub environment between March and June 2025. The two have been at the center of a major supply-chain style breach disclosed in late August, with Google’s Threat Intelligence Group tying it to UNC6395.
The lesson lands hard, the most dangerous attacks are not the ones that pop up in headlines, they are the ones that linger in plain sight.
The patient attack that rewrote cybersecurity playbooks
Patience, not flashy malware, defined this breach.
The hackers downloaded code from multiple GitHub repositories, added guest user accounts, and set up rogue workflows. Mandiant confirmed months of reconnaissance inside Salesloft and Drift environments, a slow burn that would pay off later.
Then the escalation. After breaching Drift’s AWS environment, the intruders stole OAuth tokens, essentially master keys used for integrations like Salesforce and Google Workspace. The threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025, and during that window downloaded content from multiple repositories, added a guest user, and established workflows.
Think about that rhythm. While companies chased headline-grabbing ransomware, these attackers laid groundwork, piece by piece. No rush. Just a careful setup, like stashing spare keys under the mat and waiting for the right night.
How security giants fell victim to their own trust
Scope matters here, and so does who got hit. Twenty-two companies have confirmed impact from the supply chain breach, but more than 700 organizations were affected, including Cloudflare, Zscaler, Palo Alto Networks, and PagerDuty.
With the stolen tokens in hand, the adversary moved with intent. They systematically queried Salesforce environments between Aug. 8 and 18, counted records, mapped object structures, then pulled bulk exports. Data taken included customer contacts, support case content, account records, and possibly embedded secrets such as API keys or cloud credentials.
Cloudflare revealed that attackers accessed Salesforce data and obtained 104 Cloudflare API tokens, though no suspicious activity was seen on those tokens. Meanwhile, attackers actively scanned acquired data for high value access, think AWS keys, VPN creds, Snowflake tokens.
Security giants tripped over the very trust that powers their integrations. They protect millions, yet a patient intruder used vendor access to walk right in.
The emergency response that changed everything
When the scope became clear, the shutdowns came fast. Salesloft revoked all Drift-to-Salesforce access tokens on Aug. 20. Salesforce disabled all Salesloft integrations on Aug. 28. Salesloft took Drift completely offline on Sept. 2.
Salesloft has rotated credentials and added segmentation controls between Salesloft and Drift. It also recommends that all third party apps integrated with Drift via API key revoke and reissue keys. Salesforce temporarily suspended the Salesloft integration on Aug. 28 and restored it on Sept. 7, after additional security measures and remediation.
This breach is a reminder that a single compromised integration can ripple outward… fast. The months between initial compromise and discovery show how traditional monitoring struggles against slow, methodical operators who play the long game.
Vendor risk needs a rethink, not a checkbox. Assume a trusted partner could already be compromised, quietly building footholds and waiting for scale. My read, more teams will start treating OAuth tokens and app-to-app connections like crown jewels, and late discoveries like this will push that shift from theory to habit.