Threat Summary
Category: Corporate Data Breach
Features: GitHub account compromise, stolen OAuth tokens, multi-vendor exposure, third-party risk escalation
Delivery Method: Unauthorized GitHub access, credential abuse, API token exfiltration
Threat Actor: Unidentified (under investigation) — sophisticated campaign tracked by Mandiant and Google TAG
Salesloft confirmed this week that its systems were breached as early as March, when hackers exploited access to a GitHub account tied to the company. What initially looked like a narrow compromise has now unraveled into one of the most consequential supply-chain breaches of 2025, with ripple effects across some of the largest names in technology.
Incident responders at Mandiant determined that the intruder gained unauthorized access to multiple repositories, downloaded source code, added a guest user, and quietly established workflows. The compromise stretched from March through June, giving the attacker months of dwell time — reconnaissance not only against Salesloft itself, but also against Drift, the AI chatbot company Salesloft acquired last year.
Drift integrations are tightly bound to Salesforce, Amazon Web Services, and other third-party platforms. That linkage became the weak point: Mandiant found that the attacker successfully pivoted into Drift’s AWS environment, exfiltrating OAuth tokens used by customers for authentication and integrations. Those stolen tokens became skeleton keys for customer data.
Infrastructure at Risk
This wasn’t just a breach of internal corporate files — it was a direct hit on the connective tissue between companies. Drift tokens tied to Salesforce, AWS, and other critical SaaS platforms enabled the attacker to reach into downstream environments and pull customer data at scale.
Support ticket systems, contact records, account identifiers, and in some cases even government IDs and Social Insurance Numbers were exposed. Canadian investment firm Wealthsimple reported that IDs, account numbers, and other sensitive customer data were accessed in hours, though no funds were stolen. Other victims confirmed that logs, tokens, and even credentials shared in support tickets were compromised.
In total, Google’s Threat Intelligence Group now estimates at least 700 organizations could be victims. But as analyst Austin Larsen noted:
“We’re telling organizations to treat any Drift integration into any platform as potentially compromised, so that increases the scope of potential victims.”
That statement underscores the scale: what began with one GitHub account now represents an ongoing supply-chain breach spanning hundreds of companies worldwide.
Victims Emerge
Executives at Cloudflare, Zscaler, and Palo Alto Networks were among the first to go public. Within days, Nutanix, Elastic, Cato Networks, Tenable, Rubrik, Proofpoint, and Wealthsimple followed. Each disclosed that attackers accessed customer-related content, most often tied to Salesforce and Drift integrations.
- Cloudflare: Identified 104 compromised API tokens, all rotated. Warned customers to rotate any shared credentials.
- Zscaler: Customer business contact details, licensing data, and support content accessed.
- Palo Alto Networks: Basic sales account data and limited customer details exposed; some sensitive cases under review.
- Wealthsimple (Canada): Customer government IDs, SINs, and dates of birth accessed. Incident contained within hours.
- Tenable & Rubrik: Reported customer contact details and support cases compromised.
The scope is widening as more organizations conduct forensic reviews.
Policy and Allied Pressure
The breach has triggered immediate scrutiny from regulators and industry watchdogs. Lawmakers are expected to question how a GitHub account with access to core repositories and integrations could remain unmonitored for months.
Mandiant has urged companies to reassess how they treat “non-human identities” — service accounts, API tokens, and OAuth credentials that often sit outside of traditional identity protection. As Rom Carmel, CEO of Apono, stated:
“This incident highlights a systemic blind spot in how organizations manage non-human identities. Tokens and service accounts are now the weakest link in the chain.”
The incident has also reignited calls for stricter third-party vendor audits. Salesloft Drift served as the integration bridge for Salesforce, AWS, and countless enterprise environments. That bridge has now been burned.
Vendor Defense and Reliance
Salesloft has isolated Drift’s infrastructure, taken it offline, and rotated all known compromised credentials. The integration with Salesforce — temporarily severed — has now been restored. Mandiant is transitioning its role from active response to forensic assurance.
Still, vendors like Cloudflare are urging customers to assume compromise, rotate credentials, and disconnect Drift entirely until they can confirm no lingering risk.
The broader lesson is clear: companies can no longer assume their vendors’ tokens are safe. Reliance on third-party AI tools like Drift brings speed and convenience — but at the cost of security fragility.
Forecast — 30 Days
- More victims: Expect additional disclosures from enterprises still auditing Drift integrations.
- Token sweeps: Customers will be forced to rotate API keys, OAuth tokens, and credentials en masse.
- Vendor audits: Pressure will mount for Salesforce and other SaaS providers to enforce stricter third-party token management.
- Legislative oversight: Lawmakers may call for new rules requiring disclosure of vendor token breaches.
- Dark web activity: Stolen data and tokens may surface on criminal forums, enabling secondary campaigns.
TRJ Verdict
One GitHub account became the spark that lit a supply-chain fire. The Salesloft Drift breach proves again that identity is not just human — it is every key, token, and credential that opens a door into systems. When those identities are left unguarded, the intruder doesn’t need to break the locks. They walk in with the keys.
This is the fourth domino in a chain of high-profile token and API breaches this year, from Snowflake to Okta to Salesloft. Each one underscores the same point: the architecture of trust in third-party integrations is dangerously thin. Until companies redesign how they authenticate machines, not just people, breaches like this will remain inevitable — and systemic.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
After reading articles like this, I’m thinking that maybe third-party integrations are becoming much more of a serious hassle and not so convenient. Maybe corporations need to consider dumping the practice altogether.
Thanks for the article, John.
You’re exactly right, Chris — third-party integrations were built to make things easier, but they’ve now become one of the biggest attack surfaces in modern business. The more doors you bolt onto a system, the more hinges there are for someone to pry loose. Convenience has a cost, and too often it’s security.
Dumping integrations altogether may not be realistic for corporations that rely on them to move data, but you’re right — the whole model needs to be re-evaluated. If prevention keeps failing, companies will either have to scale back how many of these connections they allow or start holding vendors to the same security standards as their own internal systems.
At the end of the day, every “shortcut” comes with hidden risks, and attackers are proving again and again that those shortcuts are exactly where they’ll strike first.
Thank you very much, Chris — I hope you have a great day ahead. 😎
You’re welcome, John, and thank you for the solid reply. As you stated, the more doors the more hinges there are. A re-evaluation is certainly necessary.
I wish you a great day as well!