The massive Salesforce breach campaign started on GitHub shows how attackers exploited repositories to steal OAuth tokens. This supply-chain attack began with unauthorized access to Salesloft’s GitHub and spread into Salesforce environments, exposing sensitive data across hundreds of organizations.
How the Breach Unfolded
Between March and June 2025, attackers gained access to Salesloft’s GitHub account. They extracted data from private repositories and created automated workflows to maintain persistence. Using this access, the attackers pivoted into Salesloft Drift’s cloud infrastructure.
From there, they captured OAuth tokens linked to Salesforce integrations. With these tokens, they accessed hundreds of Salesforce instances during August, exporting sensitive information from connected accounts.
Scale and Impact of the Attack
Google’s Threat Intelligence Group confirmed that more than 700 organizations may have been affected. Victims include major companies such as Cloudflare, Zscaler, Palo Alto Networks, Workiva, and Tenable.
The attackers stole valuable credentials, including AWS keys and Snowflake tokens, as well as business data such as customer records, support cases, and contact details. The scale of the theft makes it one of the most significant SaaS-related incidents in recent years.
Response and Containment
Salesloft and Salesforce responded by revoking all active Drift OAuth tokens. Salesforce also removed the Drift integration from the AppExchange and disabled affected connections. Customers were urged to rotate credentials, audit account activity, and strengthen security settings.
These actions limited further exploitation but did not prevent the initial data theft. The campaign highlighted how quickly stolen tokens can be used once attackers gain access.
Broader Significance and Risks
The breach demonstrates how trusted integrations and tokens can bypass security controls. Even without exploiting Salesforce directly, attackers achieved large-scale access through compromised GitHub credentials and OAuth tokens.
This incident reinforces the need for continuous monitoring, strict governance of third-party integrations, and frequent credential rotation. Organizations must treat repositories and cloud connectors as critical assets requiring the same protection as core infrastructure.
Conclusion
The massive Salesforce breach campaign started on GitHub represents a new wave of supply-chain threats. By stealing OAuth tokens through GitHub, attackers compromised hundreds of Salesforce environments. Companies must respond by tightening integration security, monitoring repositories closely, and adopting stricter credential management to prevent similar large-scale breaches.
0 responses to “Massive Salesforce Breach Campaign Started on GitHub”