Threat actors were able to breach the Drift platform via the Salesloft GitHub account to which they’ve had access for almost four months (from March through June 2025), the company said in an update on Sunday.
Using the account, the intruders downloaded content from multiple repositories and then added a guest user and established workflows.
“The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment,” the company said. The attackers then got access to Drift’s AWS environment and used OAuth tokens to access data via Drift integrations.
The company also said that the integration between the Salesloft platform and Salesforce is now restored.
The Salesloft breach, which came to light in August, affected over 700 organizations, including major cybersecurity firms and technology companies such as Cloudflare, Zscaler, Palo Alto Networks, Tenable, SpyCloud, Tanium, PagerDuty, Exclaimer, Cloudinary, Elastic, Nutanix, CyberArk, Cato Networks, Bugcrowd, JFrog, BeyondTrust, and Rubrik.