SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Computer screen exposed folders files shadowy hands data breach unauthorized access
#
Firewalls
#
Data Protection
#
Phishing

Salesloft data breach exposes 700 firms’ details via OAuth attack

Wed, 10th Sep 2025
Author image
By Kaleah Salmon, Journalist

A significant data breach at Salesloft has put the sensitive information of over 700 companies at risk, highlighting the increasing security challenges organisations face as they integrate more third-party platforms and services into their operations. The breach, which targeted OAuth tokens used across multiple integrations, gave attackers access to customer Salesforce instances, Google Workspace accounts, and AWS credentials, among other platforms. The fallout has raised pressing questions about the robustness of current corporate security practices.

The breach is linked to UNC6395, a threat group thought to have operated within Salesloft's systems over several months before being detected. Notably, high-profile companies such as Cloudflare, Palo Alto Networks, and Zscaler have been named among the affected, intensifying scrutiny over the security measures in place at both Salesloft and its clients.

Dan Pinto, chief executive and co-founder of device intelligence company Fingerprint, remarked, "With the Salesloft breach impacting over 700+ companies, including major ones like Cloudflare, Palo Alto Networks, and Zscaler, enterprises can no longer ignore the massive corporate data exposure risk. When the attackers compromised OAuth tokens for Salesloft's Drift integration, they gained access to customer Salesforce instances, Google Workspace accounts, AWS access keys, and more across hundreds of organisations."

Pinto further emphasised the implications of what he calls a dangerous new precedent. "Fraudsters now possess detailed customer information, communication patterns, and legitimate access credentials, creating opportunities for bad actors to impersonate authorised employees and move through systems undetected, and getting access to sensitive business data." The risk does not end at unauthorised data access but extends to the potential for attackers to operate within compromised environments over extended periods.

The suspected entry point for the attackers appears to have been Salesloft's GitHub account. Cory Michal, chief information security officer of AppOmni, has been closely following the attack's evolution. "A dwell time of several months, spanning from March to June, is a long time for an adversary to remain active in a source code repository without detection. In this case, not only was reconnaissance activity taking place, but a guest user was added and workflows were established, indicating the attacker was able to operate with persistence and intentionality," Michal said.

He argued that the breach was allowed to fester due to a lack of effective monitoring. "The length of exposure strongly suggests there was little to no effective security monitoring in place on the repository. Had Salesloft been actively logging and alerting on anomalous activity such as new external users or workflow creation, the intrusion could have been identified much earlier. Instead, the absence of these safeguards allowed UNC6395 to quietly prepare and position themselves to further the attack."

The method by which attackers initially gained access appears to be a compromised set of GitHub credentials, with further evidence pointing to the presence of Drift credentials in infostealer logs. Michal regards this as indicative of weaknesses that go beyond any single application. "GitHub, like Salesforce or any other business platform, is ultimately just another SaaS application. A mature security program requires not only knowing which SaaS products are in use across the environment, but also hardening them against attacks and continuously monitoring for suspicious activity. This incident underscores the risks of overlooking those fundamentals. Salesloft has unfortunately learned this lesson the hard way," he said.

Pinto echoed these sentiments, urging enterprises to enhance their defences. "Enterprises need to implement comprehensive data protection strategies that include continuous monitoring of integrated third-party services, regular token rotation, and behavioural analysis that can detect when corporate accounts are being accessed by unauthorised users. As fraudsters increasingly exploit automation platforms and AI-driven tools as entry points for attacks, the potential for corporate account compromise represents a critical vulnerability."

The breach has prompted calls for stricter oversight of third-party integrations and more rigorous real-time security monitoring. With attackers displaying ever-greater patience and sophistication, security professionals note that responding to this new environment requires not just reactive measures after an incident, but proactive steps to anticipate and neutralise threats before they result in widespread harm. As organisations audit their exposure and shore up defences, the Salesloft breach stands as a stark reminder of the stakes in the digital age.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ping Identity launches platform to secure & manage AI agents
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Fortinet reports strong Q3 revenue growth & SASE adoption surge
Seven critical ChatGPT flaws expose users to data theft risks

Top stories

Hexaware boosts cybersecurity with strategic CyberSolve acquisition
New Zealand’s tech exports hit NZD $20bn, led by ICT growth
New Zealand’s best in cybersecurity honoured at 2025 iSANZ Awards
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion