"In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows. The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment. The threat actor then accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. The threat actor used the stolen OAuth tokens to access data via Drift integrations."
"Salesloft Application Environment: Rotated credentials in the Salesloft environment. Performed proactive threat hunting of the environment and noted no additional Indicators of Compromise ("IOCs") found. Rapidly hardened Salesloft environment against the known methods used by the threat actor during the attack. Threat hunting based on Mandiant Intelligence across Salesloft infrastructure and technologies: IOC analysis. Analysis of events associated with at-risk credentials based on threat actor activity."
From March through June 2025, a threat actor accessed the Salesloft GitHub account, downloaded repository content, added a guest user, and established workflows. Reconnaissance activity occurred across Salesloft and Drift application environments, with limited evidence of compromise beyond reconnaissance in Salesloft. The actor accessed Drift's AWS environment, obtained OAuth tokens for Drift customers' technology integrations, and used those tokens to access data via Drift integrations. Response actions included isolating and taking the Drift application offline, rotating impacted credentials, rotating Salesloft credentials, proactive threat hunting, rapid hardening of Salesloft, IOC analysis, and verification of segmentation between Salesloft and Drift environments.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]