Salesloft has confirmed that a data breach involving its Drift application stemmed from a compromised GitHub account, accessed by threat actor UNC6395 between March and June 2025. The attackers downloaded code, added a guest user, and conducted reconnaissance before breaching Drift's AWS environment and stealing OAuth tokens used in customer integrations. In response, Salesloft has taken Drift offline, isolated its infrastructure, rotated credentials, and enhanced security controls. As of September 7, Salesforce has restored integrations with Salesloft, excluding Drift, which remains disabled pending further investigation. Overall, 22 companies have reported being negatively affected by the attack.