Salesloft hit by network compromise
Incident
Summary
Hide ▲
Show ▼
Salesloft/Drift is a token abuse incident tied to a GitHub account breach at Salesloft that began as early as March 2025 and led to compromise of the Drift application environment. Salesloft said the attacker downloaded data from repositories, moved through the Salesloft and Drift environments, reached Drift’s AWS environment, and stole OAuth tokens used across customer integrations. The UNC6395 activity later enabled a supply-chain attack that affected hundreds of Salesforce instances and exposed customer data.
Related Happenings
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware Activity
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware ActivityAbout this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
ATHR productized automated vishing platform for credential theft
Threat Actor Meta
First: 16.04.2026 17:09
Last: 16.04.2026 17:09
Sources 1
About this happening:
ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
ATHR productized automated vishing platform for credential theft
Threat Actor MetaAbout this happening: ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
2025 Automotive carmakers ransomware surge
Target Trend
First: 16.04.2026 11:35
Last: 16.04.2026 11:35
Sources 1
About this happening:
In **2025**, ransomware became the **fastest-growing** and most disruptive threat to **automotive carmakers**, accounting for **44% of attacks** and **more than doubling** over th...
2025 Automotive carmakers ransomware surge
Target TrendAbout this happening: In **2025**, ransomware became the **fastest-growing** and most disruptive threat to **automotive carmakers**, accounting for **44% of attacks** and **more than doubling** over th...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Timeline
-
13.09.2025 12:04 5 articles · 8mo ago
Salesloft discloses Drift compromise and containment steps
Initial DisclosureSalesloft said its GitHub account was breached from March through June 2025, making possible the compromise affecting the Drift application environment. In response, the company isolated the Drift infrastructure, took the artificial intelligence (AI) chatbot application offline, began rotating credentials, temporarily disabled certain parts of the Drift application, and started strengthening GitHub hardening and multi-factor authentication controls. Drift customers were advised to treat any Drift integrations and related data as potentially compromised.
Show sources
- FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks — thehackernews.com — 13.09.2025 12:04
- FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks — thehackernews.com — 13.09.2025 12:04
- Defend the Target, Not Just the Door: A Modern Plan for Google Workspace — www.bleepingcomputer.com — 08.10.2025 17:02
- Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations — thehackernews.com — 03.09.2025 06:53
- Salesloft Breached via GitHub Account Compromise — www.darkreading.com — 08.09.2025 23:17