How huge breach started: Drift attackers gained entry via a Salesloft GitHub account www.theregister.com/2025/09/0…

The Salesloft Drift breach that compromised “hundreds” of companies including Google, Palo Alto Networks, and Cloudflare, all started with miscreants gaining access to the Salesloft GitHub account in March.

This new information comes from a Saturday update into the Mandiant-led investigation - Salesloft hired the incident response firm to determine the root cause and scope of the incident - and a Sunday alert that the integration between Salesloft and Salesforce has now been restored.

[The postmortem] also doesn’t attribute the attack to a specific gang, although Google (which owns Mandiant) previously blamed UNC6395 for the Drift-related breaches. UNC is the tracker Google uses for uncategorized threat groups, as opposed to nation-state attackers (APT) and financially motivated crews (FIN). If you’re confused by all the gang names, see our explainer here.

Cloudflare last week pinned the attack on a threat group it tracks as GRUB1 that aligns with UNC6395. And it’s suspected that ShinyHunters, which Google says has some overlap with UNC6395, also played some role in the intrusions.