Salesloft GitHub账户于3月遭入侵,黑客窃取认证令牌后对多家大客户发动大规模攻击。通过GitHub访问其AWS环境并获取OAuth令牌后,黑客侵入Salesforce实例窃取敏感数据。事件于8月底由Google披露,并涉及多个知名公司如Google等。 2025-9-8 18:16:21 Author: techcrunch.com(查看原文) 阅读量:15 收藏
Salesloft said a breach of its GitHub account in March allowed hackers to steal authentication tokens that were later used in a mass-hack targeting several of its big tech customers.
Citing an investigation by Google’s incident response unit Mandiant, Salesloft said on its data breach page that the as-yet-unnamed hackers accessed Salesloft’s GitHub account and performed reconnaissance activities from March until June, which allowed them to download “content from multiple repositories, add a guest user and establish workflows.”
The timeline raises fresh questions about the company’s security posture, including why it took Salesloft some six months to detect the intrusion.
Salesloft said that the incident is now “contained.”
Contact Us
Do you have more information about these data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
After the hackers broke into its GitHub account, the company said the hackers accessed the Amazon Web Services cloud environment of Salesloft’s AI and chatbot-powered marketing platform Drift, which allowed them to steal OAuth tokens for Drift’s customers. OAuth is a standard that allows users to authorize one app or service to connect to another. By relying on OAuth, Drift can integrate with platforms like Salesforce and others to interact with website visitors.
In stealing these tokens, the threat actors breached several Salesloft’s customers, such as Bugcrowd, Cloudflare, Google, Proofpoint, Palo Alto Networks, and Tenable, among others, many of which are likely still unknown.
Google’s Threat Intelligence Group revealed the supply chain breach late in August, attributing it to a hacking group it calls UNC6395.
Techcrunch event
San Francisco | October 27-29, 2025
Cybersecurity publications DataBreaches.net and Bleeping Computer previously reported that the hackers behind the breach are the prolific hacking group known as ShinyHunters. The hackers are believed to be trying to extort victims by contacting them privately.
By accessing Salesloft tokens, the hackers then access Salesforce instances, where they stole sensitive data contained in support tickets. “The actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens,” Salesloft said on August 26.
Salesloft said on Sunday that its integration with Salesforce is now restored.
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.
You can contact or verify outreach from Lorenzo by emailing [email protected], via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.
如有侵权请联系:admin#unsafe.sh