SalesLoft said in March that a violation of its GitHub account allowed hackers to steal authentication tokens used in mass hacks targeting some of its large tech customers.
Citing an investigation by Google's incident response unit Mandiant, SalesLoft said on its data breaches page that an unknown hacker accessed SalesLoft's GitHub account and accessed reconnaissance activities from March to June, “can add content, guest users from multiple repositories and establish workflows.”
The Timeline raises new questions about the company's security attitude, including why it took about six months to detect an intrusion.
SalesLoft said the incident was “included.”
Contact Us Do you have any further information regarding these data breaches? From non-work devices, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or send an email. You can also contact TechCrunch via SecureDrop.
After the hackers broke into their GitHub accounts, the company said hackers could access SalesLoft's AI and chatbot-driven marketing platform Drift, and steal OAuth tokens for Drift's customers. OAuth is a standard that allows users to connect one app or service to another. By relying on OAuth, Drift can integrate with platforms such as Salesforce to interact with website visitors.
In stealing these tokens, the threat actors violated several SalesLoft customers, including Bugcrowd, CloudFlare, Google, Proofpoint, and Palo Alto Networks.
Google's Threat Intelligence Group revealed a supply chain violation in late August, attributed to a hacking group called UNC6395.
TechCrunch Events
San Francisco | October 27-29, 2025
Cybersecurity Publications databreaches.net and Bleeping Computer previously reported that the hackers behind the violations were a prolific hacking group known as Shinyhunters. Hackers are believed to be trying to force the victim by contacting them personally.
By accessing the SalesLoft token, the hackers accessed the Salesforce instance and stole sensitive data contained in the support ticket. “The actor's main purpose was to steal credentials that focused on sensitive information, particularly AWS access keys, passwords, and snowflake-related access tokens,” SalesLoft said on August 26th.
SalesLoft said on Sunday that its integration with Salesforce has been restored.