Salesloft suffered a breach in March 2024 when hackers (linked to **UNC6395/ShinyHunters**) compromised its **GitHub account**, conducting reconnaissance for three months before stealing **authentication tokens** (including OAuth tokens for **Drift’s AI/chatbot platform**). These tokens were then used in a **supply-chain attack**, granting access to **Salesloft’s AWS environment** and **customer systems** (e.g., **Bugcrowd, Cloudflare, Google, Palo Alto Networks, Proofpoint, Tenable**). The attackers targeted **Salesforce instances**, exfiltrating sensitive data from **support tickets**, including **AWS access keys, passwords, and Snowflake-related tokens**. The breach enabled credential theft for extortion, with victims contacted privately. Salesloft took **six months to detect** the intrusion, raising concerns about its security posture. While the incident is now contained, the attack exposed **customer integration ecosystems**, risking downstream breaches across high-profile tech firms. The hackers’ focus on **credential harvesting** suggests potential for further exploitation of compromised systems.
TPRM report: https://www.rankiteo.com/company/salesloft
"id": "sal2792527090825",
"linkid": "salesloft",
"type": "Breach",
"date": "3/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Multiple (including Bugcrowd, '
'Cloudflare, Google, Proofpoint, '
'Palo Alto Networks, Tenable, '
'and others)',
'industry': 'Sales Engagement Platform',
'location': 'Atlanta, Georgia, USA',
'name': 'Salesloft',
'type': 'SaaS Company'},
{'customers_affected': 'Indirectly via Salesloft Breach',
'industry': 'AI and Chatbot-Powered Marketing',
'name': 'Drift',
'type': 'Subsidiary/Platform'},
{'industry': 'Cybersecurity (Crowdsourced Security '
'Testing)',
'name': 'Bugcrowd',
'type': 'Customer'},
{'industry': 'Web Infrastructure and Security',
'name': 'Cloudflare',
'type': 'Customer'},
{'industry': 'Technology',
'name': 'Google',
'type': 'Customer'},
{'industry': 'Cybersecurity (Email Security)',
'name': 'Proofpoint',
'type': 'Customer'},
{'industry': 'Cybersecurity',
'name': 'Palo Alto Networks',
'type': 'Customer'},
{'industry': 'Cybersecurity (Vulnerability Management)',
'name': 'Tenable',
'type': 'Customer'}],
'attack_vector': ['Compromised GitHub Account',
'Reconnaissance (March–June 2024)',
'Stolen OAuth Tokens',
'AWS Cloud Environment Exploitation'],
'customer_advisories': ['Customers advised to rotate credentials, review '
'Salesforce access logs, and monitor for unauthorized '
'activity.'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Potentially (via '
'support tickets)',
'sensitivity_of_data': 'High (credentials, access tokens, '
'potentially PII in support tickets)',
'type_of_data_compromised': ['Authentication Tokens (OAuth)',
'AWS Access Keys',
'Passwords',
'Snowflake Access Tokens',
'Support Ticket Data']},
'date_detected': '2024-08-01T00:00:00Z',
'date_publicly_disclosed': '2024-08-26T00:00:00Z',
'date_resolved': '2024-08-26T00:00:00Z',
'description': 'Salesloft disclosed a breach of its GitHub account in March '
'2024, where hackers stole authentication tokens later used in '
'a mass-hack targeting its big tech customers, including '
'Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, '
'and Tenable. The hackers, attributed to UNC6395 (potentially '
'ShinyHunters), accessed Salesloft’s AWS cloud environment and '
'Drift’s OAuth tokens, enabling unauthorized access to '
'customer systems, including Salesforce instances. The primary '
'objective was credential theft, focusing on AWS access keys, '
'passwords, and Snowflake-related tokens. The intrusion went '
'undetected for six months before containment in August 2024.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust Among '
'High-Profile Customers',
'Negative Media Coverage'],
'data_compromised': ['Authentication Tokens (OAuth)',
'AWS Access Keys',
'Passwords',
'Snowflake-Related Tokens',
'Support Ticket Data (via Salesforce)'],
'identity_theft_risk': ['High (due to stolen credentials)'],
'operational_impact': ['Disruption of Salesloft-Salesforce '
'Integration (temporarily)',
'Customer System Compromises'],
'systems_affected': ['Salesloft GitHub Account',
'Salesloft AWS Cloud Environment',
'Drift’s AI/Chatbot Platform',
'Customer Salesforce Instances (e.g., '
'Bugcrowd, Cloudflare, Google, Proofpoint, '
'Palo Alto Networks, Tenable)']},
'initial_access_broker': {'backdoors_established': ['Guest User Added to '
'GitHub',
'Unauthorized Workflows '
'Created'],
'entry_point': 'Salesloft GitHub Account',
'high_value_targets': ['OAuth Tokens (Drift '
'customers)',
'AWS Access Keys',
'Snowflake Tokens',
'Salesforce Instances'],
'reconnaissance_period': 'March 2024 – June 2024 (3 '
'months)'},
'investigation_status': 'Contained (as of August 2024)',
'lessons_learned': ['Timely detection of reconnaissance activities is '
'critical (6-month delay in this case).',
'OAuth token security and rotation policies require '
'stricter controls.',
'GitHub account security (e.g., MFA, access reviews) must '
'be prioritized to prevent supply chain risks.',
'Third-party integrations (e.g., Salesforce) can amplify '
'breach impact; segmentation and monitoring are '
'essential.'],
'motivation': ['Credential Theft', 'Extortion', 'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Enhanced logging and '
'alerting for GitHub '
'actions (e.g., user '
'additions, workflow '
'changes).',
'Implementation of token '
'expiration policies and '
'real-time revocation '
'capabilities.',
'Third-party security '
'audits for cloud and '
'integration environments.',
'Customer notification '
'protocols for supply chain '
'incidents.'],
'root_causes': ['Inadequate monitoring of GitHub '
'account activities (e.g., guest '
'user additions, repository '
'access).',
'Delayed detection of '
'reconnaissance (March–June 2024).',
'Over-reliance on OAuth tokens '
'without sufficient safeguards '
'(e.g., short-lived tokens, '
'anomaly detection).',
'Lack of segmentation between '
'Salesloft’s GitHub/AWS and '
'customer environments (e.g., '
'Salesforce).']},
'ransomware': {'data_exfiltration': 'Yes (credential theft focus)'},
'recommendations': ['Implement continuous monitoring for GitHub and cloud '
'environments to detect anomalous activities (e.g., guest '
'user additions, workflow changes).',
'Enforce least-privilege access and regular token '
'rotation for OAuth and API integrations.',
'Conduct regular red-team exercises to test detection '
'capabilities for reconnaissance and lateral movement.',
'Enhance incident response coordination with customers in '
'supply chain scenarios to mitigate downstream impacts.',
'Adopt zero-trust principles for third-party integrations '
'(e.g., Salesforce, AWS).'],
'references': [{'date_accessed': '2024-09-01T00:00:00Z',
'source': 'TechCrunch',
'url': 'https://techcrunch.com'},
{'date_accessed': '2024-08-26T00:00:00Z',
'source': 'Salesloft Data Breach Page'},
{'date_accessed': '2024-08-01T00:00:00Z',
'source': 'Google Threat Intelligence Group (Mandiant)'},
{'date_accessed': '2024-08-30T00:00:00Z',
'source': 'DataBreaches.net',
'url': 'https://www.databreaches.net'},
{'date_accessed': '2024-08-28T00:00:00Z',
'source': 'Bleeping Computer',
'url': 'https://www.bleepingcomputer.com'}],
'response': {'communication_strategy': ['Public Disclosure via Data Breach '
'Page',
'Media Statements'],
'containment_measures': ['Isolation of Compromised GitHub '
'Account',
'Revocation of Stolen Tokens',
'Restoration of Salesforce Integration'],
'incident_response_plan_activated': 'Yes (with assistance from '
'Google’s Mandiant)',
'recovery_measures': ['Salesforce Integration Restored (as of '
'August 2024)'],
'third_party_assistance': ['Google’s Mandiant (Incident Response '
'Unit)']},
'stakeholder_advisories': ['Public disclosure via Salesloft’s breach page; '
'likely private notifications to affected '
'customers (e.g., Bugcrowd, Cloudflare).'],
'threat_actor': ['UNC6395 (per Google Threat Intelligence Group)',
'ShinyHunters (alleged)'],
'title': 'Salesloft GitHub Account Breach Leading to Supply Chain Attack on '
'Major Tech Customers',
'type': ['Supply Chain Attack',
'Credential Theft',
'Unauthorized Access',
'Data Breach'],
'vulnerability_exploited': ['Improper GitHub Access Controls',
'Lack of Timely Detection (6-month delay)',
'OAuth Token Misuse']}