Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Salesloft and Mandiant continue to investigate the hack that compromised some of the globe’s biggest cyber security firms, as SpyCloud joins the victim line-up.
Salesloft, with the assistance of Google’s cyber security subsidiary Mandiant, has managed to work out how hackers were able to compromise its Salesloft Drift platform, compromising, in turn, companies such as CloudFlare and Zscaler.
“The objectives of the investigation are to determine the root cause, scope of the incident, and assist Salesloft with containment and remediation,” Salesloft said in a 7 September update to its security advisory.
“Mandiant was subsequently engaged to examine the Salesloft environment to determine if it was compromised and verify the segmentation between the Drift and Salesloft environments.”
Mandiant was able to determine that the threat actor accessed Salesloft’s GitHub account between March to June 2025. The hacker was able to download code and content from several repositories as well as establish their own workflows and add a guest user.
In that time, the threat actor was able to perform reconnaissance-related activity in both the Drift and Salesloft application environments, though no further, so far as Mandiant was able to determine.
The threat actor then gained access to Salesloft Drift’s AWS environment, where it was able to obtain OAuth tokens for many of Salesloft’s customers’ technology integrations. These were then used to access those customers’ data.
In response, Salesloft took its Drift platform offline and isolated its infrastructure. Impacted credentials were rotated, and the Salesloft environment was hardened against similar intrusions in the future.
“Based on the Mandiant investigation, the findings support the incident has been contained,” Salesloft said.
“The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.”
The news of Salesloft’s internal investigations comes as another cyber security company revealed it had been caught up in the hack.
“We were notified of a security incident involving a third-party application that potentially resulted in unauthorised access to data from Salesforce, our customer relationship management system,” Texas-based SpyCloud said in a 1 September statement.
“We are currently assessing the scope of impact as it relates to our Salesforce instance. At this time, the elements we believe were accessed are standard customer relationship management fields in Salesforce. Consumer data is not believed to have been accessed.”
SpyCloud has informed its customers of the compromise and has not yet found any evidence that the exposed data has been misused.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
