GitHub Token Breach at Salesloft Leads to Widespread OAuth Attacks

What happened

Salesloft confirmed that a March compromise of its GitHub account allowed attackers to steal authentication tokens and perform months of reconnaissance. According to an investigation led by Google’s incident response unit Mandiant, the intruders accessed repositories, added a guest user, and created workflows that ultimately gave them access to Salesloft’s cloud assets.

How tokens were abused

After breaking into GitHub, attackers accessed the AWS environment for Salesloft’s Drift integration and stole OAuth tokens used by Drift customers. Those tokens allowed the threat actors to pivot into customer environments — including Salesforce instances — and exfiltrate sensitive data such as support tickets and credentials.

Who was impacted

Google’s Threat Intelligence Group attributes the supply-chain activity to UNC6395, while other outlets link the activity to ShinyHunters. Salesloft named several affected customers including Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable; the full list may be larger.

Why this matters

This incident highlights two systemic risks: supply-chain attack surfaces in developer tooling and the fragility of OAuth tokens when embedded in cloud workflows. Equally concerning is the timeline — reconnaissance from March to June with public disclosure months later — which raises questions about detection, monitoring, and least-privilege controls.

Immediate steps organizations should take

• Revoke and rotate compromised OAuth tokens, API keys, and cloud credentials immediately.
• Audit GitHub workflows, actions, and repository access; remove unused guests and scan for secrets in CI/CD.
• Enforce least privilege for integrations, add granular token scopes, and limit what connectors can access.
• Implement continuous monitoring for unusual OAuth behavior and perform threat-hunting exercises focused on supply-chain pathways.

How to reduce the window from intrusion to containment

Shortening detection time requires instrumenting developer platforms and cloud environments so that repository changes, workflow executions, and unusual token usage generate high-fidelity alerts. Segmentation of CI/CD permissions, automated secrets scanning, and regular third-party integration reviews turn long reconnaissance periods into short, manageable incidents.

QuarkyByte’s view

This breach is a reminder that developer and integration tooling are prime targets. Organizations should treat token hygiene and workflow security as first-class security controls. QuarkyByte advises a mix of analytics-driven discovery, targeted token inventories, and simulated supply-chain exercises to prioritize remediation and reduce attacker dwell time.

Salesloft says the incident is contained and its Salesforce integration has been restored. But the episode reinforces broader lessons for every org running OAuth-based integrations or relying on third-party developer tools: assume tokens can be stolen, make them short-lived, and build detection that catches misuse within days — not months.