There’s an update to the Salesloft+Drift portal with results from the Mandiant Drift and Salesloft application investigations:
Mandiant’s investigation has determined the threat actor took the following actions:
- In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.
- The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments.
- The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.
- The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.
- The threat actor used the stolen OAuth tokens to access data via Drift integrations.
Response and Remediation Activities:
As part of a comprehensive response, Salesloft performed containment and eradication activities, validated by Mandiant, in the Drift and Salesloft application environments, including but not limited to:
- Drift Application Environment:
- Isolated and contained the Drift infrastructure, application, and code.
- The Drift Application has been taken offline.
- Rotated impacted credentials
- Salesloft Application Environment:
- Rotated credentials in the Salesloft environment.
- Performed proactive threat hunting of the environment and noted no additional Indicators of Compromise (“IOCs”) found.
- Rapidly hardened Salesloft environment against the known methods used by the threat actor during the attack.
- Threat hunting based on Mandiant Intelligence across Salesloft infrastructure and technologies:
- IOC analysis.
- Analysis of events associated with at-risk credentials based on threat actor activity.
- Analysis of events associated with activity that would permit the threat actor to circumvent Salesloft security controls.
- Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments.
Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.
Source: Salesloft+Drift Update of September 6, 2025
DataBreaches asked ShinyHunters whether the update was accurate in its claims. They answered that it was accurate, which is somewhat different than when people were complaining that the Google Threat Intelligence Group’s blog posts related to Salesforce were outdated and inaccurate.