A major security breach at Salesloft has compromised sensitive information from more than 700 companies, marking one of the largest enterprise incidents linked to OAuth token abuse. Attackers exploited integrations to gain access to Salesforce instances, Google Workspace accounts, AWS credentials, and other platforms, triggering concerns about third-party service risks and long-term data exposure.
Attack Linked to UNC6395 and High-Profile Victims
The attack has been attributed to threat group UNC6395, which reportedly operated inside Salesloft’s systems for several months before discovery. Notable victims include Cloudflare, Palo Alto Networks, and Zscaler, intensifying scrutiny on Salesloft’s security practices.
Dan Pinto, CEO and co-founder of Fingerprint, described the scope of the incident as unprecedented:
“With the Salesloft breach impacting over 700+ companies, including major ones like Cloudflare, Palo Alto Networks, and Zscaler, enterprises can no longer ignore the massive corporate data exposure risk. When the attackers compromised OAuth tokens for Salesloft’s Drift integration, they gained access to customer Salesforce instances, Google Workspace accounts, AWS access keys, and more across hundreds of organisations.”
Pinto warned that the theft of customer details, communication histories, and active credentials sets a dangerous precedent for large-scale impersonation and lateral movement inside corporate networks.
Persistent Intrusion Via GitHub Repository
Investigators believe the breach began with compromised GitHub credentials linked to Salesloft. According to Cory Michal, Chief Information Security Officer at AppOmni, attackers maintained persistence from March to June, building footholds quietly in the company’s development environment.
“A dwell time of several months is a long time for an adversary to remain active in a source code repository without detection. In this case, not only was reconnaissance activity taking place, but a guest user was added and workflows were established, indicating the attacker was able to operate with persistence and intentionality,” Michal explained.
Michal criticized the lack of monitoring, stating:
“The length of exposure strongly suggests there was little to no effective security monitoring in place on the repository. Had Salesloft been actively logging and alerting on anomalous activity such as new external users or workflow creation, the intrusion could have been identified much earlier. Instead, the absence of these safeguards allowed UNC6395 to quietly prepare and position themselves to further the attack.”
Weaknesses in SaaS Security Practices
Michal emphasized that GitHub should be treated with the same rigor as any enterprise SaaS platform. Evidence of compromised Drift credentials in infostealer logs further highlights the risks.
“GitHub, like Salesforce or any other business platform, is ultimately just another SaaS application. A mature security program requires not only knowing which SaaS products are in use across the environment, but also hardening them against attacks and continuously monitoring for suspicious activity. This incident underscores the risks of overlooking those fundamentals. Salesloft has unfortunately learned this lesson the hard way.”
Security Experts Call for Stronger Safeguards
Pinto echoed the call for better enterprise security strategies, stressing the importance of token management and third-party oversight:
“Enterprises need to implement comprehensive data protection strategies that include continuous monitoring of integrated third-party services, regular token rotation, and behavioural analysis that can detect when corporate accounts are being accessed by unauthorised users. As fraudsters increasingly exploit automation platforms and AI-driven tools as entry points for attacks, the potential for corporate account compromise represents a critical vulnerability.”
Broader Impact and Industry Lessons
The Salesloft data breach has intensified conversations about supply chain security, OAuth token misuse, and cloud service monitoring. Security professionals warn that the patience and sophistication shown by attackers demonstrate how critical it is for organizations to shift from reactive incident handling to proactive security posture management.
The incident has already spurred calls across the industry for stricter oversight of third-party integrations and real-time anomaly detection. For enterprises dependent on cloud applications and automation tools, the Salesloft breach stands as a cautionary tale of what can happen when persistent attackers go undetected for months.
