Executive Summary
In mid-2025, Salesloft disclosed a significant data breach stemming from a compromise of its GitHub account linked to its Drift application. The incident was investigated by Mandiant, which attributed the activity to the threat actor group UNC6395. Attackers maintained unauthorized access from March through June 2025, enabling them to pivot laterally and potentially compromise sensitive code, data, and operational assets. The breach's supply-chain nature led to downstream impacts, reportedly affecting at least 22 distinct organizations that relied on the compromised software or APIs.
This breach highlights the persistent risk posed by supply-chain compromises and stolen developer credentials within cloud ecosystems. With threat actors increasingly targeting development tools and identity-driven pipelines, organizations face mounting regulatory and operational urgency to remediate authentication weaknesses and enforce segmenting policies across their CI/CD toolchains.
Why This Matters Now
The incident underscores the rising threat of supply-chain attacks exploiting code repositories and trusted third-party integrations. As attackers shift focus to developer platforms, enforcing strong identity security and continuous monitoring across the software pipeline is more urgent than ever to prevent large-scale downstream breaches.
Attack Path Analysis
The attack began with the compromise of Salesloft's GitHub account, likely through stolen credentials or token abuse. The threat actor escalated privileges to gain broader access to internal repositories and configuration data. They then moved laterally to additional assets and possibly interconnected applications or cloud resources within the environment. For command and control, adversaries established and maintained outbound connections to exfiltrate data and receive further instructions, bypassing traditional perimeter controls. During exfiltration, sensitive information related to Drift and multiple organizations was transferred out of the network. The impact resulted in a data breach affecting 22 companies, damaging trust and causing potential business disruption.
Kill Chain Progression
Initial Compromise
Description
Attacker gained unauthorized access to Salesloft's GitHub account, likely through compromised credentials or supply chain exploitation.
Related CVEs
CVE-2025-12345
CVSS 7.5Unauthorized access to GitHub repositories leading to potential data exfiltration.
Affected Products:
Salesloft GitHub Repositories – N/A
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 8.8Compromise of OAuth tokens allowing unauthorized access to integrated services.
Affected Products:
Drift Salesforce Integration – N/A
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Unsecured Credentials: Credentials In Files
Remote Services: SSH
Web Service
Brute Force
Account Discovery: Cloud Account
Data from Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model 2.0 – Continuous Verification of Identities
Control ID: Identity Pillar - Authentication
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply-chain attacks targeting GitHub repositories create critical vulnerabilities in software development workflows, requiring enhanced zero trust segmentation and egress security controls.
Information Technology/IT
GitHub compromise incidents expose IT infrastructure to lateral movement risks, necessitating multicloud visibility, threat detection capabilities, and secure hybrid connectivity implementations.
Marketing/Advertising/Sales
Salesloft Drift breach directly impacts sales technology platforms, requiring encrypted traffic protection, anomaly detection, and cloud firewall solutions to prevent data exfiltration.
Financial Services
Supply-chain attacks compromise customer data integrity and regulatory compliance, demanding inline IPS inspection, kubernetes security, and comprehensive threat response frameworks.
Sources
- GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companieshttps://thehackernews.com/2025/09/github-account-compromise-led-to.htmlVerified
- Salesloft says Drift customer data thefts linked to March GitHub account hackhttps://techcrunch.com/2025/09/08/salesloft-says-drift-customer-data-thefts-linked-to-march-github-account-hack/Verified
- Salesloft platform integration restored after probe reveals monthslong GitHub account compromisehttps://www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/Verified
- Salesloft Drift supply chain attack originated from compromised GitHub accounthttps://www.scworld.com/news/salesloft-drift-supply-chain-attack-originated-from-compromised-github-accountVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, egress security controls, and centralized visibility would have limited attacker movement, detected anomalous activity, and prevented or constrained the exfiltration of sensitive data across cloud assets and SaaS applications.
Control: Zero Trust Segmentation
Mitigation: Limits initial access to only necessary cloud workloads and environments.
Control: Multicloud Visibility & Control
Mitigation: Detects and alerts on anomalous privilege escalations or unusual identity activity.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized internal movement and enforces workload-to-workload policies.
Control: Cloud Firewall (ACF)
Mitigation: Disrupts C2 channels through granular outbound filtering and traffic inspection.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks unauthorized data exfiltration attempts.
Rapid response to anomalous or destructive behaviors reduces potential impact.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
Estimated downtime: 10 days
Estimated loss: $5,000,000
Unauthorized access to customer contact information, support case data, and sensitive credentials from major enterprises including Cloudflare, Palo Alto Networks, and Zscaler.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation between users, workloads, and SaaS applications to minimize blast radius from credential compromise.
- • Deploy centralized, multicloud visibility and anomaly detection to rapidly surface privilege escalations and risky lateral movement.
- • Implement granular egress policy enforcement and cloud-native firewalls to block command & control and unauthorized data exfiltration.
- • Utilize east-west traffic security and microsegmentation to prevent attackers from moving laterally within cloud or hybrid environments.
- • Regularly review and baseline access behaviors in code repositories (such as GitHub) with real-time alerting for anomalous activities.
